Problem:
Every time Fetchmail is run, it adds warning messages concerning individual SSL certificates to the mail.log file, e.g.:
fetchmail: Server certificate validation error: unable to get local issuer certificate
fetchmail: Server certificate validation error: certificate not trusted
fetchmail: Server certificate validation error: unable to verify the first certificate
fetchmail: Server certificate validation error: self signed certificate
fetchmail: Server certificate validation error: certificate has expired
Solution:
The fingerprints of the certificates can be entered in the /etc/fetchmailrc file to mark them as accepted for Fetchmail:
- Stop the fetchmail demon:
/etc/init.d/fetchmail stop
- Start Fetchmail on the console:
fetchmail -v -f /etc/fetchmailrc
Once this command has been run, Fetchmail should output the fingerprints for the received certificates, e.g.:
fetchmail: mail.server.de key fingerprint: 1A:56:E3:A3:DE:D1:F9:17:40:81:DD:77:71:E9:AF:2C
- The specified fingerprints can now be added to the /etc/fetchmailrc file, e.g.:
user 'benutzer@server.de' there with password 'passwort' is benutzer@domain.ucs here options ssl sslfingerprint "1A:56:E3:A3:DE:D1:F9:17:40:81:DD:77:71:E9:AF:2C"
The sslfingerprint option must be set for all the users entered in the /etc/fetchmailrc file with the SSL option. When the fetchmail demon is then restarted, the SSL warning messages no longer appear.