夜神 岩男 wrote:
I'm trying to setup sendmail/dovecot on a new server running CentOS-6 (well, CentOS-6.2 now). Everything seems to go well, but when I run fetchmail I get this warning:
[tim@grover ~]$ fetchmail imap.maths.tcd.ie fetchmail: Warning: the connection is insecure, continuing anyways. (Better use --sslcertck!)
If I do add --sslcertck (as suggested) I get the response:
[tim@grover ~]$ fetchmail --sslcertck imap.maths.tcd.ie fetchmail: Server certificate verification error: self signed certificate fetchmail: This means that the root signing certificate (issued for /C=IE/ST=Dublin/L=Dublin/O=School of Mathematics, Trinity College, Dublin./OU=Automatically-generated IMAP SSL key/CN=imap.maths.tcd.ie/emailAddress=postmaster-
k8gv5eYDmBCYFDSwBDOiMg@public.gmane.org)
is not in the trusted CA certificate locations, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of -- sslcertpath and --sslcertfile in the manual page. 139925738739528:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1063: fetchmail: SSL connection failed. fetchmail: socket error while fetching from tim@imap.maths.tcd.ie fetchmail: Query status=2 (SOCKET)
Its just healthier, more detailed warnings that what you got before.
SSL/TLS relies on a third party verification of a certificate. This means a third party's signature on the certificate of the site you are connecting to. If, on the other hand, the site you're connecting to signed their own certificate themselves, then you have no way of knowing if they are really themselves because nobody outside of the 2-party connection is validating that the system you're taking to today is the same system you were talking to yesterday.
Thanks very much for your explanation, which throws some light on the subject.
What I still find a little puzzling is that "fetchmail --sslcertck imap.maths.tcd.ie" tells me the SSL connection failed, yet "fetchmail imap.maths.tcd.ie" seems to work.
Also, I'm not clear if SSL will look at all the crt's in /etc/pki/tls/certs , or just ca-bundle.crt?