Reputation: 21
fetchmail warns about imap.gmail.com server certificate
I'm quite new here but i want to share my problem and found solution to everyone.
Maybe this helps someone and save time.
I choosen stackoverflow, because i've often found here a solution for my problems.
Problem: fetchmail prompts some warnings for imap.gmail.com cert and might no longer fetch my mails
Starting point was some fetchmail warning like below
fetchmail: Fehler bei Server-Zertifikat-Überprüfung: self signed certificate
fetchmail: Fehlendes Zertifikat als Vertrauensquelle: /OU=No SNI provided; please fix your client./CN=invalid2.invalid
fetchmail: Das kann bedeuten, dass das Wurzelzertifikat nicht unter den vertrauenswürdigen CA-Zertifikaten ist, oder dass c_rehash auf dem Verzeichnis ausgeführt werden muss. Details sind in der fetchmail-Handbuchseite im bei --sslcertpath beschrieben.
fetchmail: Warnung: Die Verbindung ist unsicher, mache trotzdem weiter. (Nehmen Sie lieber --sslcertck!)
After short test and .fetchmailrc config change like adding sslproto tls1.2 i got this warnings
fetchmail: Fehler bei Server-Zertifikat-Überprüfung: unable to get local issuer certificate
fetchmail: Unterbrochene Zertifizierungskette bei: /OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
fetchmail: Dies kann bedeuten, dass der Server das/die Zertifikat(e) der Zwischenzertifizierungsstellen nicht mitlieferte. Daran kann fetchmail nichts ändern. Für weitere Information, siehe das mit Fetchmail ausgelieferte Dokument README.SSL-SERVER.
fetchmail: Das kann bedeuten, dass das Wurzelzertifikat nicht unter den vertrauenswürdigen CA-Zertifikaten ist, oder dass c_rehash auf dem Verzeichnis ausgeführt werden muss. Details sind in der fetchmail-Handbuchseite im bei --sslcertpath beschrieben.
fetchmail: Warnung: Die Verbindung ist unsicher, mache trotzdem weiter. (Nehmen Sie lieber --sslcertck!)
Now i've seen that there might be some root ca and intermediate ca and server certificate issue on my local device.
Now you must now that i running debian stretch.
Yes it's old stable and a little bit outdated and this might be the problem,
which i no longer investigated.
So i started a little bit more research regarding the imap.gmail.com and google ca certs.
When I'm running a fetchmail -v for verbose command, i have seen that google tells me,
they want to have a TLS1.3 protocol communication.
You can also see this by running a openssl connect check openssl s_client -showcerts -connect imap.gmail.com:993
So, i know that TLS1.2 is not now outdated and only all other older protocols till TLS1.1 are deprecated.
My debian stretch fetchmail is also not supporting TLS1.3, thats why i'm later configuring TLS1.2 only.
Now i searched for the google pki certs in the internet. All Google pki certs can be found here Google PKI
Now comes the my solution.
create a new .certs folder in my home dir
mkdir ~/.certs
mkdir ~/.certs/google
cd ~/.certs/google
get imap.gmail.com cert via openssl connect.
cd ~/.certs
openssl s_client -showcerts -connect imap2.gmail.com:993 -servername imap.gmail.com </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > imap.gmail.com.pem
download google pki certs via wget
cd ~/.certs/google
wget https://pki.goog/gtsr1/GTSR1.crt
wget https://pki.goog/gtsr2/GTSR2.crt
wget https://pki.goog/gtsr3/GTSR3.crt
wget https://pki.goog/gtsr4/GTSR4.crt
wget https://pki.goog/gsr2/GSR2.crt
wget https://pki.goog/gsr4/GSR4.crt
wget https://pki.goog/gtsr1/gtsy1.crt
wget https://pki.goog/gtsr2/gtsy2.crt
wget https://pki.goog/gtsr3/gtsy3.crt
wget https://pki.goog/gtsr4/gtsy4.crt
wget https://pki.goog/gsr2/GTS1O1.crt
wget https://pki.goog/gsr2/GTS1D2.crt
wget https://pki.goog/gsr2/giag4.crt
wget https://pki.goog/gsr4/giag4ecc.crt
wget https://pki.goog/digicert/GoogleCA1.crt
wget https://pki.goog/digicert/GTSCA1D3.crt
Then convert all *.crt to *.pem format and copy it to certs dir
for i in *.crt; do openssl x509 -inform DER -in $i -text </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > $i.pem ; done
for i in *.pem; do cp $i ~/.certs/. ; done
Afterwords run c_rehash of openssl to use it for fetchmail
c_rehash .
nano .fetchmailrc
insert following lines in ~/.fetchmailrc config like this
here are the ssl, sslcertpath and sslproto line the impotant changes.
poll imap.gmail.com
protocol IMAP
user 'xxxx'
is username
pass 'xxxxx'
folder INBOX
ssl
sslcertpath /home/<username>/.certs/
sslproto tls1.2
mda '/usr/bin/procmail -f %F -d %T'
now rerun your fetchmail (maybe in verbose mode) to check if warnings now away.
fetchmail -v
Upvotes: 2
Views: 2008
Answers (0)
Related Questions
- Getting "sslv3 alert handshake failure" when trying to connect to imap
- Getting error like this imap_open(): Couldn't open stream
- Connecting to Gmail through IMAP with PHP - SSL context failed
- imap.gmail.com returning self signed certificate with Alpine
- Ruby net/imap getting OpenSSL::SSL::SSLError - self-signed certificate?
- Can't Download/Retrieve Email from Gmail account with Delphi (SSL3_GET_RECORD:wrong version number)
- Connecting to gmail with Mailkit ImapClient using TLS not SSL
- Imap gmail does not response using java SSLSocket on MAC
- GMAIL imap_open invalid remote specification (errflg=2)
- Connecting to imap.google with SSL