stop fetchmail ssl cert errors

if fetchmail does not recognize the mail server’s ssl cert, it will generate the following errors:

fetchmail: Server certificate verification error: unable to get local issuer certificate
fetchmail: Server certificate verification error: certificate not trusted
fetchmail: Server certificate verification error: unable to verify the first certificate

to fix:

get the mail server’s cert, and if necessary the cert from the issuing authority. /.fetchmail is a convenient place (for me) to keep fetchmail related files, so for this example, i will use /.fetchmail/ssl

mkdir ~/.fetchmail/ssl
cd ~/.fetchmail/ssl
  • get the mail server’s cert:

echo |
openssl s_client -connect mail.example.com:993 -showcerts 2>/dev/null |
sed -ne '/BEGIN CERT/,/END CERT/p' > mail.example.com.pem
  • get the CA’s root cert

  • extract the issuer from the mail server’s cert:

echo |
openssl s_client -connect mail.example.com:993 -showcerts 2>/dev/null |
sed -ne '/issuer=/p'
sslcertck
sslcertpath "~/.fetchmail/ssl"
  • sample server section:

poll mail.example.com
proto IMAP
timeout 60
auth password
user "foo"
password "bar"
sslcertck
sslcertpath ~/.fetchmail/ssl

the fetchmail logs should now be clear. if not, comment out the previous two lines, and add the server’s fingerprint to .fetchmailrc, again, in the server section:

openssl x509 -in .fetchmail/ssl/mail.example.com.pem -noout -md5 -fingerprint |
                sed 's/._=/sslfingerprint "/;s/$/"/'

output looks like:

  • sslfingerprint "3E:5C:C1:83:0A:CA:E0:10:69:FD:F1:A4:99:8C:02:41"