On Wed, Mar 07, 2012 at 08:48:08AM +1100, Lindsay Sprinter wrote:
The following errors occur when I run fetchmail, the errors are not serious ie fetchmail still works. The first started around 6 months ago, the expired one only a few weeks ago. The ISP has never sent anything stating they were changing or upgrading any security. As far as I know nothing has changed at this end for fetchmail.
fetchmail: Server certificate verification error: self signed certificate fetchmail: Server certificate verification error: certificate has expired
unless you're expecting to verify your POP/IMAP/SMTP/etc connections, it really doesn't matter. a self-signed certificate, even an expired one, still works perfectly well for encrypting the connection. if it's stopping fetchmail from actually fetching your mail, then see if there's an option to stop fetchmail from verifying certs. or try to get a copy of their root certificate and install it where fetchmail can use it (probably /etc/ssl/certs). If it isn't stopping the mail from being fetched just treat it as a warning and ignore it. oh, and email your ISP's sysadmins and tell them they need to resign their certificate. and maybe publish their CA certificate so their users can download and install it. (FYI, I have a self-signed cert on my system, for postfix and dovecot and apache. i made it to be valid for 10 years so I don't have to resign it every year. for my needs, it works fine. if my system ever gets hacked and the private key stolen, i'll issue a revocation and create a new one). self-signed just means they created and signed the cert themselves (probably using openssl's CA.pl as a Certificate Authority) rather than paying a commercial CA. The only real advantage of a commercial CA is that the public portion of their root cert is widely distributed and often included by default in operating systems and browsers so that the signature can be verified. While you probably want your bank's web site to use a reputable commercial CA, for anything else where you just want encryption but don't care about verification, a self-signed cert is fine. e.g. encrypting the login page on a forum site. it's not uncommon for sites using a self-signed certificate to publish their own CA cert so that end-users can skip the scary warnings (which are mostly self-serving advertisements to bolster the artificial public key infrastructure industry). craig ps: there are so many commercial CAs to choose from. some even make a decent attempt to verify your identity when you request a certificate. others will cheerfully sell you a cert for google.com or whatever you want. apart from that, you have the choice of having your private key secretly passed on to the CIA, NSA, Mossad, Iranian government hackers, or any other spook agency of your choice (if you can figure out who is owned by whom)...hell, ASIO may even have their own pet CA. -- craig sanders <cas@taz.net.au> BOFH excuse #39: terrorist activities