ssl-certificate - Fetchmail 和服务器证书验证错误:无法获取本地颁发者证书
问题描述
好的,这个熟悉的问题,不确定我仍然缺少什么才能获得本地颁发者证书,因为当我使用 openssl 运行检查时我获得了成功。我的印象是我需要的只是全球 CA 证书(openssl 表明它都是有效且可接受的)
谢谢!
运行 fetchmail:
fetchmail -v -v -d 473 --syslog --nobounce --sslcertpath /home/bloggs/certs -f /home/bloggs/fetchmailrc
/home/bloggs/certs 包含
lrwxrwxrwx 1 10 Aug 8 12:57 3513523f.0 -> CAROOT.pem
-rw------- 1 1338 Aug 8 08:51 CAROOT.pem
使用openssl:
/usr/local/ssl/bin/openssl s_client -CApath /home/bloggs/certs -connect outlook.office365.com:995
输出这个:
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert Cloud Services CA-1
verify return:1
depth=0 C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = outlook.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=outlook.com
i:/C=US/O=DigiCert Inc/CN=DigiCert Cloud Services CA-1
1 s:/C=US/O=DigiCert Inc/CN=DigiCert Cloud Services CA-1
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
...snip...
etc, etc, etc
...snip...
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1533743966
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
但是,Fetchmail 会将其写入邮件日志
Old UID list from outlook.office365.com: <empty>
Scratch list of UIDs: <empty>
6.3.26 querying outlook.office365.com (protocol POP3) at Wed Aug 08 13:03:16 2018:poll started
Trying to connect to 180.163.18.8/995...connected.
Certificate chain, from root to peer, starting at depth 1:
Issuer Organization: DigiCert Inc
Issuer CommonName: DigiCert Global Root CA
Subject CommonName: DigiCert Cloud Services CA-1
Server certificate verification error: unable to get local issuer certificate
Broken certification chain at: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
This could mean that the server did not provide the intermediate CA's certificate(s), which is nothing fetchmail could do anything about. For details, please see the README.SSL-SERVER document that ships with fetchmail.
This could mean that the root CA's signing certificate is not in the trusted CA certificate location, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page.
Certificate at depth 1:
Issuer Organization: DigiCert Inc
Issuer CommonName: DigiCert Global Root CA
Subject CommonName: DigiCert Cloud Services CA-1
Server certificate verification error: certificate not trusted
Server certificate:
Issuer Organization: DigiCert Inc
Issuer CommonName: DigiCert Cloud Services CA-1
Subject CommonName: outlook.com
Subject Alternative Name: *.clo.footprintdns.com
解决方案
我认为问题在于 fetchmail 是针对一组不同的 SSL 库构建的,这与我运行 openssl 测试时使用的 SSL 库不同。我已经针对同一个库 1.0.2n 重建了 fetchmail,一切都按预期工作:
Old UID list from outlook.office365.com: <empty>
Scratch list of UIDs: <empty>
6.3.26 querying outlook.office365.com (protocol POP3) at Sun Aug 12 14:12:56 2018: poll started
Trying to connect to 36.165.28.8/995...connected.
Certificate chain, from root to peer, starting at depth 2:
Issuer Organization: DigiCert Inc
Issuer CommonName: DigiCert Global Root CA
Subject CommonName: DigiCert Global Root CA
Certificate at depth 1:
Issuer Organization: DigiCert Inc
Issuer CommonName: DigiCert Global Root CA
Subject CommonName: DigiCert Cloud Services CA-1
Server certificate:
Issuer Organization: DigiCert Inc
Issuer CommonName: DigiCert Cloud Services CA-1
Subject CommonName: outlook.com
Subject Alternative Name: *.clo.footprintdns.com
Subject Alternative Name: *.nrb.footprintdns.com
Subject Alternative Name: *.hotmail.com
Subject Alternative Name: *.internal.outlook.com
Subject Alternative Name: *.live.com
Subject Alternative Name: *.office.com
Subject Alternative Name: *.office365.com
Subject Alternative Name: *.outlook.com
Subject Alternative Name: *.outlook.office365.com
Subject Alternative Name: attachment.outlook.live.net
Subject Alternative Name: attachment.outlook.office.net
Subject Alternative Name: attachment.outlook.officeppe.net
Subject Alternative Name: ccs.login.microsoftonline.com
Subject Alternative Name: ccs-sdf.login.microsoftonline.com
Subject Alternative Name: hotmail.com
Subject Alternative Name: mail.services.live.com
Subject Alternative Name: office365.com
Subject Alternative Name: outlook.com
Subject Alternative Name: outlook.office.com
Subject Alternative Name: substrate.office.com
Subject Alternative Name: substrate-sdf.office.com
outlook.office365.com key fingerprint: ###################################################
POP3< +OK The Microsoft Exchange POP3 service is ready. [###########################################################]
POP3> CAPA
POP3< +OK
POP3< TOP
POP3< UIDL
POP3< SASL PLAIN
POP3< USER
POP3< .
POP3> USER #######@################
POP3< +OK
POP3> PASS *
POP3< +OK User successfully logged on.
selecting or re-polling default folder
POP3> STAT
POP3< +OK 0 0
No mail for ######@###########at outlook.office365.com
POP3> QUIT
POP3< +OK Microsoft Exchange Server POP3 server signing off.
6.3.26 querying outlook.office365.com (protocol POP3) at Sun Aug 12 14:12:58 2018: poll completed
New UID list from outlook.office365.com: <empty>
not swapping UID lists, no UIDs seen this query
Query status=1 (NOMAIL)
sleeping at Sun Aug 12 14:12:58 2018 for 473 seconds
推荐阅读
- python - Python-Flask Word 到 PDF - Coinitialize 错误
- flutter - (以下 NoSuchMethodError 在构建 Builder 时被抛出:)在 null 上调用了 setter 'categoryName='
- php - 如何使用 Knp Snappy 包设置 pdf 的页面大小
- javascript - Lodash:对数组进行排序
- java - 这个递归函数如何中断并返回
- react-native - 如何从日期时间选择器格式化日期和时间
- reactjs - 为什么在我尝试使用 npm 安装软件包时出现错误
- python - 在 python pandas 中获取列值的列表和数据框映射
- flutter - 添加一个带有大小的按钮并在其中添加图标
- sql - 如何将 where 子句应用于连接表上的每个结果?