Ошибка проверки сертификата Fetchmail и сервера: невозможно получить сертификат локального эмитента

Хорошо, этот знакомый вопрос, я не уверен, что мне не хватает, чтобы получить сертификат локального эмитента, поскольку, когда я выполнил проверку с помощью openssl, я добился успеха. У меня сложилось впечатление, что все, что мне нужно, - это сертификат Global CA (openssl показывает, что он действителен и приемлем).

Спасибо!

запустив fetchmail с помощью:

fetchmail -v -v -d 473 --syslog --nobounce --sslcertpath /home/bloggs/certs -f /home/bloggs/fetchmailrc

/ home / bloggs / certs содержит

lrwxrwxrwx   1           10 Aug  8 12:57 3513523f.0 -> CAROOT.pem
-rw-------   1          1338 Aug  8 08:51 CAROOT.pem

С openssl:

/usr/local/ssl/bin/openssl s_client -CApath /home/bloggs/certs -connect outlook.office365.com:995

выводит это:

CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert Cloud Services CA-1
verify return:1
depth=0 C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = outlook.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=outlook.com
   i:/C=US/O=DigiCert Inc/CN=DigiCert Cloud Services CA-1
 1 s:/C=US/O=DigiCert Inc/CN=DigiCert Cloud Services CA-1
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
...snip...
etc, etc, etc
...snip...  
Key-Arg   : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1533743966
Timeout   : 300 (sec)
Verify return code: 0 (ok)
---

Однако Fetchmail записывает это в почтовый журнал

Old UID list from outlook.office365.com: <empty>
Scratch list of UIDs: <empty>
6.3.26 querying outlook.office365.com (protocol POP3) at Wed Aug 08 13:03:16 2018:poll started
Trying to connect to 180.163.18.8/995...connected.
Certificate chain, from root to peer, starting at depth 1:
Issuer Organization: DigiCert Inc
Issuer CommonName: DigiCert Global Root CA
Subject CommonName: DigiCert Cloud Services CA-1
Server certificate verification error: unable to get local issuer     certificate
Broken certification chain at: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
This could mean that the server did not provide the intermediate CA's certificate(s), which is nothing fetchmail could do anything about.  For details, please see the README.SSL-SERVER document that ships with fetchmail.
This could mean that the root CA's signing certificate is not in the trusted CA certificate location, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page.
Certificate at depth 1:
Issuer Organization: DigiCert Inc
Issuer CommonName: DigiCert Global Root CA
Subject CommonName: DigiCert Cloud Services CA-1
Server certificate verification error: certificate not trusted
Server certificate:
Issuer Organization: DigiCert Inc
Issuer CommonName: DigiCert Cloud Services CA-1
Subject CommonName: outlook.com
Subject Alternative Name: *.clo.footprintdns.com
Источник

1 ответ

Я полагаю, что проблема заключалась в том, что fetchmail был создан с использованием набора библиотек SSL, отличного от того, с которым я запускал тест openssl. Я перестроил fetchmail для той же библиотеки 1.0.2n, и все работает как положено:

Old UID list from outlook.office365.com: <empty>
Scratch list of UIDs: <empty>
6.3.26 querying outlook.office365.com (protocol POP3) at Sun Aug 12 14:12:56 2018: poll started
Trying to connect to 36.165.28.8/995...connected.
Certificate chain, from root to peer, starting at depth 2:
Issuer Organization: DigiCert Inc
Issuer CommonName: DigiCert Global Root CA
Subject CommonName: DigiCert Global Root CA
Certificate at depth 1:
Issuer Organization: DigiCert Inc
Issuer CommonName: DigiCert Global Root CA
Subject CommonName: DigiCert Cloud Services CA-1
Server certificate:
Issuer Organization: DigiCert Inc
Issuer CommonName: DigiCert Cloud Services CA-1
Subject CommonName: outlook.com
Subject Alternative Name: *.clo.footprintdns.com
Subject Alternative Name: *.nrb.footprintdns.com
Subject Alternative Name: *.hotmail.com
Subject Alternative Name: *.internal.outlook.com
Subject Alternative Name: *.live.com
Subject Alternative Name: *.office.com
Subject Alternative Name: *.office365.com
Subject Alternative Name: *.outlook.com
Subject Alternative Name: *.outlook.office365.com
Subject Alternative Name: attachment.outlook.live.net
Subject Alternative Name: attachment.outlook.office.net
Subject Alternative Name: attachment.outlook.officeppe.net
Subject Alternative Name: ccs.login.microsoftonline.com
Subject Alternative Name: ccs-sdf.login.microsoftonline.com
Subject Alternative Name: hotmail.com
Subject Alternative Name: mail.services.live.com
Subject Alternative Name: office365.com
Subject Alternative Name: outlook.com
Subject Alternative Name: outlook.office.com
Subject Alternative Name: substrate.office.com
Subject Alternative Name: substrate-sdf.office.com
outlook.office365.com key fingerprint: ###################################################
POP3< +OK The Microsoft Exchange POP3 service is ready. [###########################################################]
POP3> CAPA
POP3< +OK
POP3< TOP
POP3< UIDL
POP3< SASL PLAIN
POP3< USER
POP3< .
POP3> USER #######@################
POP3< +OK
POP3> PASS *
POP3< +OK User successfully logged on.
selecting or re-polling default folder
POP3> STAT
POP3< +OK 0 0
No mail for ######@###########at outlook.office365.com
POP3> QUIT
POP3< +OK Microsoft Exchange Server POP3 server signing off.
6.3.26 querying outlook.office365.com (protocol POP3) at Sun Aug 12 14:12:58 2018: poll completed
New UID list from outlook.office365.com: <empty>
not swapping UID lists, no UIDs seen this query
Query status=1 (NOMAIL)
sleeping at Sun Aug 12 14:12:58 2018 for 473 seconds
Источник
Другие вопросы по тегам