Bug#995432: fetchmail is affected

Mon, 04 Oct 2021 07:09:18 -0700 

Hello,

I'm running bullseye and fetchmail seems affected. I had these happening:

fetchmail: socket error while fetching from aris@<server>
fetchmail: Query status=2 (SOCKET)
fetchmail: Server certificate verification error: certificate has expired
fetchmail: OpenSSL reported: error:1416F086:SSL 
routines:tls_process_server_certificate:certificate verify failed

The machine I saw this error has been dist-upgraded since 2001 or so. Running
openssl s_client -showcerts -connect <server>:995 -servername <server>:

(snip)
    Start Time: 1633325277
    Timeout   : 7200 (sec)
    Verify return code: 10 (certificate has expired)
    Extended master secret: no
    Max Early Data: 0

Checking the certificate locally in the server it passed. Running same openssl
command in another bullseye machine did work. Did try to run
update-ca-certificates with and without -f, didn't help. It did reported
warnings:

        Updating certificates in /etc/ssl/certs...
        W: 
/usr/share/ca-certificates/mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt
 not found, but listed in /etc/ca-certificates.conf.
        W: /usr/share/ca-certificates/mozilla/GeoTrust_Universal_CA_2.crt not 
found, but listed in /etc/ca-certificates.conf.
        W: /usr/share/ca-certificates/mozilla/Taiwan_GRCA.crt not found, but 
listed in /etc/ca-certificates.conf.
        W: 
/usr/share/ca-certificates/mozilla/OISTE_WISeKey_Global_Root_GA_CA.crt not 
found, but listed in /etc/ca-certificates.conf.
        W: 
/usr/share/ca-certificates/mozilla/Staat_der_Nederlanden_Root_CA_-_G2.crt not 
found, but listed in /etc/ca-certificates.conf.
        W: 
/usr/share/ca-certificates/mozilla/EE_Certification_Centre_Root_CA.crt not 
found, but listed in /etc/ca-certificates.conf.
        0 added, 0 removed; done.
        Running hooks in /etc/ca-certificates/update.d...

        updates of cacerts keystore disabled.
        done.


Finally gave up and copied ca-certificates.conf from the machine that was
working, re-ran update-ca-certificates and it got rid of the warnings and
fetchmail and openssl were happy again. I don't fully understand how
/etc/ca-certificates.conf is generated and don't remember ever changing it.

--
Aristeu

Reply via email to