Fetchmail Error - Server certificate verification error

Apps & App Center
, ,
1

Hi - I’m using still my first eMail account with T-Online - even if 99% of all mails are running direct into my own mail-server.

That is why I have overseen (since some time) no eMails send to my T-Online account has been imported via Fetchmail into my mail-box.

I did not chanced anything on T-Online end - nor on the Fetchmail settings itself since a longer time. Maybe an UCS update had an impact or the restrictions on T-Online end changed.

Let’s focus on the solution.
Here is the extraction from the log:

--> starting fetchmail 6.4.37 daemon
--> Server certificate verification error: self-signed certificate in certificate chain
--> Missing trust anchor certificate: /C=NA/ST=NA/L=NA/O=NA/OU=NA/CN=Default_CA_6pvzwTQkm2dGBs0/emailAddress=na@example.com
--> This could mean that the root CA's signing certificate is not in the trusted CA certificate location, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page. See README.SSL for details.
--> OpenSSL reported: error:0A000086:SSL routines::certificate verify failed
--> securepop.t-online.de: SSL connection failed.
--> socket error while fetching from MEIN.NAME@securepop.t-online.de
--> Query status=2 (SOCKET)

I checked if T-Online has changed something - but for me it looks like → nothing changed.
grafik

Anyone - any idea?

Thank you in advance

2

Hello @Pepe

your error message clearly states that there is something off with the certificate:

→ This could mean that the root CA’s signing certificate is not in the trusted CA certificate location, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page. See README.SSL for details.

Have you checked that?

$ openssl s_client -connect securepop.t-online.de:995 -showcerts

The issuer of the server cert is:

C = DE, O = Deutsche Telekom Security GmbH, CN = Telekom Security ServerID OV Class 2 CA

and this cert is signed by:

C = DE, O = T-Systems Enterprise Services GmbH, OU = T-Systems Trust Center, CN = T-TeleSec GlobalRoot Class 2

You should have at leaste on of them in your certificate store → /usr/share/ca-certificates/

On my Ubuntu the file containing the relevant RootCA is /usr/share/ca-certificates/mozilla/T-TeleSec_GlobalRoot_Class_2.crt

Maybe first give it a try by updating the available certificates:

$ sudo update-ca-certificates --verbose [--fresh]

use also --fresh if you want to rebuild the whole store.


Good Luck!

Addendum:
You might check if there is an update for package ca-certificates!

3

THX @nicost for coming back to me.

Maybe some more details will help better understanding the setup:
On the primary and backup is no Fatchmail installed - just on the mail-server itself → Default installation via UCS packet.

By using the command "$ openssl s_client -connect securepop.t-online.de:995 -showcerts
" I’m getting the following output (to save soace I have deletet parts of the cert itself - reduced to just 5 lines each):

# openssl s_client -connect securepop.t-online.de:995 -showcerts
CONNECTED(00000003)
depth=1 C = NA, ST = NA, L = NA, O = NA, OU = NA, CN = Default_CA_6pvzwTQkm2dGBs0, emailAddress = na@example.com
verify error:num=19:self-signed certificate in certificate chain
verify return:1
depth=1 C = NA, ST = NA, L = NA, O = NA, OU = NA, CN = Default_CA_6pvzwTQkm2dGBs0, emailAddress = na@example.com
verify return:1
depth=0 C = DE, ST = Nordrhein-Westfalen, L = Bonn, O = Deutsche Telekom AG, CN = securepop.t-online.de
verify return:1
---
Certificate chain
 0 s:C = DE, ST = Nordrhein-Westfalen, L = Bonn, O = Deutsche Telekom AG, CN = securepop.t-online.de
   i:C = NA, ST = NA, L = NA, O = NA, OU = NA, CN = Default_CA_6pvzwTQkm2dGBs0, emailAddress = na@example.com
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Nov 18 13:38:58 2024 GMT; NotAfter: Nov 22 23:59:59 2025 GMT
-----BEGIN CERTIFICATE-----
MIIESzCCAzOgAwIBAgIQZ+lmuwAAHueWQEcoRDfl0zANBgkqhkiG9w0BAQsFADCB
hTELMAkGA1UEBhMCTkExCzAJBgNVBAgMAk5BMQswCQYDVQQHDAJOQTELMAkGA1UE
YHhaFP58pihPY4o7Y6OzNkDdhBfGpw4DKgoBKQq7EzA8QtP/hudSchpTKy6fthgJ
42sxKIpQbgSR47NYst8OBwIRY4s+V8AlqKQ3n1sRCUGbq093z5fE7uGE5n9ITQDL
22/RpD/4aFKzrc2f1iSwxWQ7xiUk/csweX82VjDtHAhg3oEFFGAK0ZhG75D1iFc=
-----END CERTIFICATE-----
 1 s:C = NA, ST = NA, L = NA, O = NA, OU = NA, CN = Default_CA_6pvzwTQkm2dGBs0, emailAddress = na@example.com
   i:C = NA, ST = NA, L = NA, O = NA, OU = NA, CN = Default_CA_6pvzwTQkm2dGBs0, emailAddress = na@example.com
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar 27 12:34:57 2024 GMT; NotAfter: Dec 31 12:34:57 2036 GMT
-----BEGIN CERTIFICATE-----
MIIEkzCCA3ugAwIBAgIUFIv9LVJKG5D5cEOLPqWaTAtetH0wDQYJKoZIhvcNAQEL
BQAwgYUxCzAJBgNVBAYTAk5BMQswCQYDVQQIDAJOQTELMAkGA1UEBwwCTkExCzAJ
Aec3BZW30nakKrUxxgme7psyexxIaDvGs/9YuPRtdFjQQlY9wvc3DSqbOE5j/aYD
9wL5OnN33b9COh7Strc7655mSVAKvwzE5XpXRKRNg5wrgJRdF8hs78Er0hjbTuVF
QpErj01XL4HbVEVUpmGrWY4i6FuVvzE=
-----END CERTIFICATE-----
---
Server certificate
subject=C = DE, ST = Nordrhein-Westfalen, L = Bonn, O = Deutsche Telekom AG, CN = securepop.t-online.de
issuer=C = NA, ST = NA, L = NA, O = NA, OU = NA, CN = Default_CA_6pvzwTQkm2dGBs0, emailAddress = na@example.com
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2839 bytes and written 407 bytes
Verification error: self-signed certificate in certificate chain
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 19 (self-signed certificate in certificate chain)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: F5EE4855480208F37C484F66B730C460F19BAB593DD5A6254A0EB5074132B003
    Session-ID-ctx:
    Resumption PSK: A587F09D7E6B3C51911638E600BE00E77169D129A7395A516864F4CBFDFEF618901AD69C540BD5AE2F39E142ACA70565
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - d3 f6 f7 bb 85 0f 98 bf-20 19 05 13 a9 a7 ea f3   ........ .......
    0010 - 53 aa c3 f2 e7 3c da 13-6c 0f f1 b7 2c 33 a6 90   S....<..l...,3..
    0020 - d3 7c 42 f7 27 38 d3 85-52 31 82 66 4b ec 3b 44   .|B.'8..R1.fK.;D
    0030 - f3 f4 44 21 bd 54 e2 2f-3f 35 c7 fa 3f e5 d3 9c   ..D!.T./?5..?...
    0040 - 77 99 1d cb e0 c9 57 97-8b b8 39 99 d9 74 4b 93   w.....W...9..tK.
    0050 - 97 ba af 9e 7f e1 ff 51-d8 08 6f 0f 7f 9e fc 54   .......Q..o....T
    0060 - 74 94 e0 82 e9 f2 04 df-c2 a5 40 9b b8 20 30 77   t.........@.. 0w
    0070 - 12 c0 c7 a5 be 4a 08 40-f8 6f d9 da a0 14 a7 e1   .....J.@.o......
    0080 - d4 b4 e0 8a fa a5 1b 6f-91 be c3 21 30 4b 22 d1   .......o...!0K".
    0090 - 70 1f 68 69 d8 3c f2 f7-ec 9e 80 e8 cd 9c 3c 7d   p.hi.<........<}
    00a0 - d9 18 9d c0 bb 45 e7 bf-94 85 14 41 46 f0 1f 13   .....E.....AF...
    00b0 - 36 46 57 d8 b2 2f c9 8c-e2 9a cd 8d c2 35 3c b8   6FW../.......5<.

    Start Time: 1743763681
    Timeout   : 7200 (sec)
    Verify return code: 19 (self-signed certificate in certificate chain)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: C5A2B93CA28CA9EE951159DF6F1346CBB157FD6E36F3E1F7F1CBE97A8C491A8A
    Session-ID-ctx:
    Resumption PSK: 2D2BFD8194DBA5EAEFD00A9496FAEC503527D1E88E75675F5CED81AC34039995394BFF7DFEAD2126924531DA0AB1A7C1
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - d3 f6 f7 bb 85 0f 98 bf-20 19 05 13 a9 a7 ea f3   ........ .......
    0010 - 78 ee b4 de f6 ce c8 dd-34 67 4e 10 b3 91 23 81   x.......4gN...#.
    0020 - 78 9b dc 6e 06 81 0c 5c-73 89 02 4e 7a f5 f4 4d   x..n...\s..Nz..M
    0030 - f3 a9 57 2b 20 41 87 28-94 cd e6 c8 8b 46 a4 ec   ..W+ A.(.....F..
    0040 - d3 f9 f5 32 d9 e6 55 81-dd 2e 0e 0a ea 02 94 9a   ...2..U.........
    0050 - 54 d0 fc d0 49 f8 11 42-b9 6a 3f 1a 33 c0 c8 d6   T...I..B.j?.3...
    0060 - c3 5b e8 81 9a 64 b2 5c-6b 2c 60 5b 77 95 61 d9   .[...d.\k,`[w.a.
    0070 - ff 33 0b 8c ba e5 a0 dc-1f 59 59 42 bb db f8 c5   .3.......YYB....
    0080 - 36 16 34 8d 7e 66 d5 72-34 75 d7 84 55 4f fc e1   6.4.~f.r4u..UO..
    0090 - fb f4 e9 44 7b 6a cc a8-b8 66 45 8e 2c 2c 29 c4   ...D{j...fE.,,).
    00a0 - b6 da ab d8 26 e9 78 94-a6 00 97 e7 a3 89 94 79   ....&.x........y
    00b0 - 9f 9e 77 27 ae ee 2a c8-2d eb 42 d5 a3 03 21 5d   ..w'..*.-.B...!]

    Start Time: 1743763681
    Timeout   : 7200 (sec)
    Verify return code: 19 (self-signed certificate in certificate chain)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
+OK T-Online POP3 Server fpopd securepop.t-online.de ready
closed

As you mentioned - I was able to find the two certs here (on the mail/replica-server):

  • /usr/share/ca-certificates/mozilla/T-TeleSec_GlobalRoot_Class_2.crt
  • /usr/share/ca-certificates/mozilla/T-TeleSec_GlobalRoot_Class_3.crt

I used “sudo update-ca-certificates --verbose” and as well “sudo update-ca-certificates --verbose --fresh” on the mail/replica-server:

Clearing symlinks in /etc/ssl/certs...
done.
Updating certificates in /etc/ssl/certs...
Doing .
rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
link D-TRUST_Root_Class_3_CA_2_EV_2009.pem -> d4dae3dd.0
link Entrust_Root_Certification_Authority_-_G4.pem -> 5e98733a.0
link ANF_Secure_Server_Root_CA.pem -> b433981b.0
link Security_Communication_ECC_RootCA1.pem -> 5860aaa6.0
link Amazon_Root_CA_1.pem -> ce5e74ef.0
link Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem -> 3bde41ac.0
link Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068_2.pem -> 3bde41ac.1
link Certum_Trusted_Network_CA_2.pem -> 40193066.0
link Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.pem -> 7719f463.0
link COMODO_Certification_Authority.pem -> 40547a79.0
link DigiCert_Assured_ID_Root_CA.pem -> b1159c4c.0
link AC_RAIZ_FNMT-RCM.pem -> cd8c0d63.0
link Buypass_Class_2_Root_CA.pem -> 54657681.0
link Amazon_Root_CA_4.pem -> de6d66f3.0
link Buypass_Class_3_Root_CA.pem -> e8de2f56.0
link HARICA_TLS_RSA_Root_CA_2021.pem -> 9f727ac7.0
link Microsoft_RSA_Root_Certificate_Authority_2017.pem -> bf53fb88.0
link GlobalSign_ECC_Root_CA_-_R4.pem -> b0e59380.0
link GLOBALTRUST_2020.pem -> fa5da96b.0
link vTrus_Root_CA.pem -> 7a3adc42.0
link T-TeleSec_GlobalRoot_Class_2.pem -> 1e09d511.0
link TrustCor_RootCert_CA-2.pem -> 3e44d2f7.0
link Hellenic_Academic_and_Research_Institutions_RootCA_2015.pem -> 32888f65.0
link GlobalSign_Root_CA_-_R3.pem -> 062cdee6.0
link ePKI_Root_Certification_Authority.pem -> ca6e4ad9.0
link QuoVadis_Root_CA_3_G3.pem -> e18bfb83.0
link emSign_ECC_Root_CA_-_C3.pem -> 4b718d9b.0
link ISRG_Root_X1.pem -> 4042bcee.0
link Starfield_Services_Root_Certificate_Authority_-_G2.pem -> 09789157.0
link TeliaSonera_Root_CA_v1.pem -> 5cd81ad7.0
link SZAFIR_ROOT_CA2.pem -> fe8a2cd8.0
link Amazon_Root_CA_2.pem -> 6d41d539.0
link GTS_Root_R1.pem -> 1001acf7.0
link Go_Daddy_Root_Certificate_Authority_-_G2.pem -> cbf06781.0
link emSign_Root_CA_-_G1.pem -> 2923b3f9.0
link D-TRUST_BR_Root_CA_1_2020.pem -> 9ef4a08a.0
link GlobalSign_Root_E46.pem -> feffd413.0
link emSign_Root_CA_-_C1.pem -> 406c9bb1.0
link COMODO_ECC_Certification_Authority.pem -> eed8c118.0
link GTS_Root_R3.pem -> 0a775a30.0
link Certum_EC-384_CA.pem -> 9482e63a.0
link SecureTrust_CA.pem -> f39fc864.0
link Go_Daddy_Class_2_CA.pem -> f081611a.0
link Amazon_Root_CA_3.pem -> 8cb5ee0f.0
link Starfield_Root_Certificate_Authority_-_G2.pem -> 4bfab552.0
link QuoVadis_Root_CA_3.pem -> 76faf6c0.0
link GDCA_TrustAUTH_R5_ROOT.pem -> 0f6fa695.0
link Entrust.net_Premium_2048_Secure_Server_CA.pem -> aee5f10d.0
link DigiCert_Global_Root_G3.pem -> dd8e9d41.0
link SSL.com_EV_Root_Certification_Authority_RSA_R2.pem -> 06dc52d5.0
link SSL.com_EV_Root_Certification_Authority_ECC.pem -> f0c70a8d.0
link HiPKI_Root_CA_-_G1.pem -> 90c5a3c8.0
link DigiCert_Global_Root_G2.pem -> 607986c7.0
link vTrus_ECC_Root_CA.pem -> ed858448.0
link GlobalSign_ECC_Root_CA_-_R5.pem -> 1d3472b9.0
link certSIGN_Root_CA_G2.pem -> 5f618aec.0
link Secure_Global_CA.pem -> b66938e9.0
link TrustCor_RootCert_CA-1.pem -> 5d3033c5.0
link OISTE_WISeKey_Global_Root_GB_CA.pem -> e73d606e.0
link DigiCert_High_Assurance_EV_Root_CA.pem -> 244b5494.0
link COMODO_RSA_Certification_Authority.pem -> d6325660.0
link USERTrust_RSA_Certification_Authority.pem -> fc5a8f99.0
link CFCA_EV_ROOT.pem -> 0b1b94ef.0
link OISTE_WISeKey_Global_Root_GC_CA.pem -> 773e07ad.0
link Entrust_Root_Certification_Authority_-_EC1.pem -> 106f3e4d.0
link SwissSign_Gold_CA_-_G2.pem -> 4f316efb.0
link D-TRUST_Root_Class_3_CA_2_2009.pem -> c28a8a30.0
link GlobalSign_Root_R46.pem -> 002c0b4f.0
link TunTrust_Root_CA.pem -> fd64f3fc.0
link Atos_TrustedRoot_2011.pem -> e36a6752.0
link TWCA_Root_Certification_Authority.pem -> b7a5b843.0
link NAVER_Global_Root_Certification_Authority.pem -> 3fb36b73.0
link Certigna.pem -> e113c810.0
link UCA_Extended_Validation_Root.pem -> 0f5dc4f3.0
link DigiCert_Assured_ID_Root_G3.pem -> 7f3d5d1d.0
link ACCVRAIZ1.pem -> a94d09e5.0
link DigiCert_TLS_ECC_P384_Root_G5.pem -> 9846683b.0
link TrustCor_ECA-1.pem -> 7aaf71c0.0
link Certainly_Root_R1.pem -> 7a780d93.0
link NetLock_Arany_=Class_Gold=_Főtanúsítvány.pem -> 988a38cb.0
link Actalis_Authentication_Root_CA.pem -> 930ac5d2.0
link Hongkong_Post_Root_CA_3.pem -> 68dd7389.0
link SwissSign_Silver_CA_-_G2.pem -> 57bcb2da.0
link QuoVadis_Root_CA_1_G3.pem -> 749e9e03.0
link GlobalSign_Root_CA_-_R6.pem -> dc4d6a89.0
link DigiCert_TLS_RSA4096_Root_G5.pem -> d52c538d.0
link Microsec_e-Szigno_Root_CA_2009.pem -> 8160b96c.0
link ucsCA.pem -> 4cd56f7c.0
link DigiCert_Trusted_Root_G4.pem -> 75d1b2ed.0
link Telia_Root_CA_v2.pem -> 8f103249.0
link SSL.com_Root_Certification_Authority_ECC.pem -> 0bf05006.0
link AffirmTrust_Commercial.pem -> 2b349938.0
link IdenTrust_Commercial_Root_CA_1.pem -> ef954a4e.0
link QuoVadis_Root_CA_2.pem -> d7e8dc79.0
link GlobalSign_Root_CA.pem -> 5ad8a5d6.0
link SSL.com_Root_Certification_Authority_RSA.pem -> 6fa5da56.0
link Izenpe.com.pem -> cc450945.0
link CA_Disig_Root_R2.pem -> 2ae6433e.0
link Starfield_Class_2_CA.pem -> f387163d.0
link Certainly_Root_E1.pem -> 8508e720.0
link Entrust_Root_Certification_Authority.pem -> 6b99d060.0
link AC_RAIZ_FNMT-RCM_SERVIDORES_SEGUROS.pem -> b81b93f0.0
link Certigna_Root_CA.pem -> f51bb24c.0
link Certum_Trusted_Network_CA.pem -> 48bec511.0
link Security_Communication_RootCA3.pem -> 08063a00.0
link E-Tugra_Certification_Authority.pem -> 5273a94c.0
link Trustwave_Global_ECC_P384_Certification_Authority.pem -> d887a5bb.0
link TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.pem -> ff34af3f.0
link SecureSign_RootCA11.pem -> 18856ac4.0
link Hongkong_Post_Root_CA_1.pem -> 3e45d192.0
link DigiCert_Assured_ID_Root_G2.pem -> 9d04f354.0
link AffirmTrust_Premium_ECC.pem -> 9c8dfbd4.0
link emSign_ECC_Root_CA_-_G3.pem -> 14bc7599.0
link e-Szigno_Root_CA_2017.pem -> e868b802.0
link DigiCert_Global_Root_CA.pem -> 3513523f.0
link AffirmTrust_Premium.pem -> b727005e.0
link Microsoft_ECC_Root_Certificate_Authority_2017.pem -> 8d89cda1.0
link Trustwave_Global_ECC_P256_Certification_Authority.pem -> 9b5697b0.0
link Security_Communication_RootCA2.pem -> cd58d51e.0
link Baltimore_CyberTrust_Root.pem -> 653b494a.0
link D-TRUST_EV_Root_CA_1_2020.pem -> 5931b5bc.0
link ssl-cert-snakeoil.pem -> 3d00c1df.0
link HARICA_TLS_ECC_Root_CA_2021.pem -> ecccd8db.0
link Security_Communication_Root_CA.pem -> f3377b1b.0
link E-Tugra_Global_Root_CA_RSA_v3.pem -> 66445960.0
link QuoVadis_Root_CA_2_G3.pem -> 064e0aa9.0
link T-TeleSec_GlobalRoot_Class_3.pem -> 5443e9e3.0
link GTS_Root_R4.pem -> a3418fda.0
link AffirmTrust_Networking.pem -> 93bc0acc.0
link XRamp_Global_CA_Root.pem -> 706f604c.0
link GTS_Root_R2.pem -> 626dceaf.0
link Certum_Trusted_Root_CA.pem -> e35234b1.0
link USERTrust_ECC_Certification_Authority.pem -> f30dd6ad.0
link Entrust_Root_Certification_Authority_-_G2.pem -> 02265526.0
link E-Tugra_Global_Root_CA_ECC_v3.pem -> 5a7722fb.0
link UCA_Global_G2_Root.pem -> c01eb047.0
link Comodo_AAA_Services_root.pem -> ee64a828.0
link TWCA_Global_Root_CA.pem -> 5f15c80c.0
link IdenTrust_Public_Sector_Root_CA_1.pem -> 1e08bfd1.0
link certSIGN_ROOT_CA.pem -> 8d86cdd1.0
link Trustwave_Global_Certification_Authority.pem -> f249de83.0
link ISRG_Root_X2.pem -> 0b9bc432.0
141 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

FYI: The date of the cert did not changed:
grafik

The error in the mail.log file stays as before.

Why do we see these message:

verify error:num=19:self-signed certificate in certificate chain

I never created a self-signed cert on any UCS server - do I have to?

Is UCS/fatchmail not trusting T-Online or T-Online not trusting UCS/fatchmail?

Thank you in advance

4

Hi - I did some more testing.

1# Once with a couplet new UCS primary server and a dedicated new domain where UCS AD and UCS mail-server plus fetchmail is installed on the newest version (5.2-1 errata62). Same results and error messages when connecting to T-Online.

2# Once with an existing independent UCS primary server and a dedicated domain where UCS AD, UCS mail-server and egroupware plus fetchmail is installed on a version 5.0-x. Same results and error messages when connecting to T-Online.

Sounds for me, that there is a general issue. Maybe a bug or a missing configuration.

It would be nice if someone from the UCS team could pick that up.
@Fels @Best or anyone else from UCS staff team who is familiar with that topic.

Thank you in advance