Getting ssl/tls fingerprints for fetchmailrc

Using a secure connections, fetchmail compares the fingerprint of the server’s certificate with one specified in the configuration file. If those fingerprints do not match, the connection will fail with:

fetchmail: $SERVER fingerprints do not match! fetchmail: SSL connection failed.

So, what’s the fastest way to get the server’s certificate and fingerprint? Just use

openssl s_client -connect $SERVER:$PORT -showcerts | openssl x509 -fingerprint -noout -md5

replacing $SERVER and $PORT with the appropriate values.

The first command opens a ssl or tls connection to the respective server and prints its certificate. The second command calculates an MD5-fingerprint of this certificate.

The output might look like this

depth=1 /C=US/O=Equifax Secure Inc./CN=Equifax Secure Global eBusiness CA-1 verify error:num=19:self signed certificate in certificate chain verify return:0 MD5 Fingerprint=09:0E:5C:1A:DB:0F:5C:81:C0:20:B7:67:C1:CC:DB:B5

Now cut and paste the fingerprint to your fetchmailrc (/etc/fetchmailrc or ~/.fetchmailrc) and that’s it!
fetchmailrc ssl fingerprint

poll ... sslfingerprint '09:0E:5C:1A:DB:0F:5C:81:C0:20:B7:67:C1:CC:DB:B5'

Possible Issues

If you get something along the lines

unable to load certificate 2371:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:650:Expecting: TRUSTED CERTIFICATE

run the first command only
openssl s_client -connect $SERVER:$PORT -showcerts
and check for error messages.

Some common error messages are:

  • Error:

    gethostbyname failure connect:errno=0

    or

    connect: Connection refused connect:errno=111

    Solution: You might have typed in a wrong hostname or port.

  • Error:

    CONNECTED(00000003) write:errno=104

    Solution: Only ssl3 is supported. Try adding the option -ssl3

Edits:

  • 2013-05-02 Migrated this article from my old website
  • 2014-12-16 Again a migration.

2 Comments

  1. Thank’s for this.

  2. Thanks also.

Leave a Reply

Your email address will not be published. Required fields are marked *