From BStegmaier
Using secure connections, fetchmail compares the server key md5-fingerprint with the one given in the configuration file.
The connection fails with
fetchmail: $SERVER fingerprints do not match! fetchmail: SSL connection failed.
if those fingerprints do not match.
So, what's the fastest way to get the server's certificate and fingerprint? Just use
openssl s_client -connect $SERVER:$PORT -showcerts | openssl x509 -fingerprint -noout -md5
replacing $SERVER and $PORT with the appropriate values.
The output might look like this
depth=1 /C=US/O=Equifax Secure Inc./CN=Equifax Secure Global eBusiness CA-1 verify error:num=19:self signed certificate in certificate chain verify return:0 MD5 Fingerprint=09:0E:5C:1A:DB:0F:5C:81:C0:20:B7:67:C1:CC:DB:B5
Now cut and paste the fingerprint to your fetchmailrc and that's it!
| /etc/fetchmailrc or ~/.fetchmailrc |
poll ... sslfingerprint '09:0E:5C:1A:DB:0F:5C:81:C0:20:B7:67:C1:CC:DB:B5'
|
Possible Issues
If you get something along the lines
unable to load certificate 2371:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:650:Expecting: TRUSTED CERTIFICATE
run the first command only
openssl s_client -connect $SERVER:$PORT -showcerts
and check for error messages.
The most common issues are:
- Error:
gethostbyname failure connect:errno=0
or
connect: Connection refused connect:errno=111
Solution: You might have typed in a wrong hostname or port.
- Error:
CONNECTED(00000003) write:errno=104
Solution: Only ssl3 is supported. Try adding the option -ssl3
