On Sat, Oct 23, 2010 at 00:15:23 -0600, Joseph wrote:
> I've found this tutorial but it is not working. My certificate is not
> recognized http://www.axllent.org/docs/networking/gmail_pop3_with_fetchmail
Yeah, that writeup appears to be both incorrect (as mentioned in the
comments) and outdated (since the certificate contained in the
"equifax.pem" file listed there expired in 2009).
On Sat, Oct 23, 2010 at 10:14:13 -0600, Joseph wrote:
> ls -l /home/joseph/.mutt/cert/
> total 8
> lrwxrwxrwx 1 joseph joseph 9 Oct 23 08:49 09cc127e.0 -> gmail.pem
> lrwxrwxrwx 1 joseph joseph 11 Oct 23 08:49 17974aab.0 -> equifax.pem
> -rw-r--r-- 1 joseph users 993 Oct 22 23:52 equifax.pem
> -rw-r--r-- 1 joseph users 1224 Oct 22 23:50 gmail.pem
>
> cat equifax.pem
> -----BEGIN CERTIFICATE-----
[...]
> Y3Jscy9zZWN1cmVjYS5jcmwwDQYJKoZIhvcNAQEFBQADgYEAuIojxkiWsRF8YHde
> BZqrocb6ghwYB8TrgbCoZutJqOkM0ymt9e8kTP3kS8p/XmOrmSfLnzYhLLkQYGfN
> 0rTw8Ktx5YtaiScRhKqOv5nwnQkhClIZmloJ0pC3+gz4fniisIWvXEyZ2VxVKfml
> UUIuOss4jHg7y/j7lYe8vJD5UDI=
> -----END CERTIFICATE-----
>
I'm a little confused as to how your directory got set up the way you
show here, since the hash value I get for the certificate you list is
"d9b7a851" (and not "17974aab" as the hash symlinks would indicate).
But in any case I think you are making this a little more difficult that
it needs to be. Basically, I think what you want to do is install on
your local system the *root* of the certificate-verification chain, and
not any of the intermediate certificates (which are the ones that
pop.gmail.com sends to your machine when you connect to it). While it's
probably possible to install one of those certifiates as the "trusted"
one, if you do that you'll have to update your local configuration each
time those intermediate certificates change. The root CA should change
far less frequently, and once your system is using it, the validation of
the GMail connection will just keep working as long as any new
intermediate certificates can ultimately trace back to that root CA.
As I mentioned before, I haven't had to install private copies of the
root CA certificate myself, but as far as I understand the following
should work:
* clear out the files currently in ~/.mutt/cert (you can save them
somewhere else if you like)
* Go to
https://www.geotrust.com/resources/root-certificates/index.html
and download the base-64 encoded version of the "Root 1 - Equifax
Secure Certificate Authority" certificate. Save it into a file
in your ~/.mutt/cert/ directory with the extension ".pem".
("Equifax_Secure_CA.pem" is the name used in Debian).
* run "c_rehash ." within that cert directory. That should
create a symlink named 594f1775.0 pointing to the .pem file.
At that point, your .fetchmailrc line of
poll pop.gmail.com with proto POP3 and options no dns user
'syscon...@gmail.com' password 'xxxxxxxxxxx' options ssl sslcertck sslcertpath
/home/joseph/.mutt/cert/
should work. (Note that you do need the @gmail.com part on the
username, since GMail supports 'hosted' domains as well;
'syscon...@example.com' would be a different GMail user.)
I'm not very familiar with Gentoo, but a quick Google search turned up
the ca-certificates ebuild:
http://packages.gentoo.org/package/app-misc/ca-certificates
, which seems to be based off the Debian package of the same name. So I
suspect if you installed that ebuild you'd find that the
Equifax_Secure_CA.pem file was already installed on your system, and
that you could skip the ~/.mutt/certs/ directory and the "sslcertpath"
option in your fetchmailrc file entirely. In addition to saving the
up-front configuration effort, the big advantage of that appoach is that
fetchmail would continue to work even if GMail switched to using a
different root CA to sign its certificates.
(If that doesn't work, though, you might have more luck finding a
solution in some more Gentoo-specific forum.)
Hope that helps.
Nathan
