stunnel + fetchmail and some problem with CA certificate

fperal · December 20, 2021, 7:18pm

I have been using fetchmail to download pop3 mail from a server using stunnel. The server is using opensuse 15.2, the client opensuse 15.3. I have some keys from namecheap for apache and I use the same keys for stunnel. It has been working until some days ago. The fetchmail in the client reports an error. I have set debug level to 7 in the server and… in the server, when running service stunnel start …it seems to be OK


[FONT=monospace]2021.12.20 19:02:25 LOG6[ui]: Initializing inetd mode configuration 
2021.12.20 19:02:25 LOG7[ui]: Clients allowed=500 
2021.12.20 19:02:25 LOG5[ui]: stunnel 5.57 on x86_64-suse-linux-gnu platform 
2021.12.20 19:02:25 LOG5[ui]: Compiled/running with OpenSSL 1.1.1d  10 Sep 2019 
2021.12.20 19:02:25 LOG5[ui]: Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI Auth:LIBWRAP 
2021.12.20 19:02:25 LOG7[ui]: errno: (*__errno_location ()) 
2021.12.20 19:02:25 LOG6[ui]: Initializing inetd mode configuration 
2021.12.20 19:02:25 LOG5[ui]: Reading configuration from file /etc/stunnel/stunnel.conf 
2021.12.20 19:02:25 LOG5[ui]: UTF-8 byte order mark not detected 
2021.12.20 19:02:25 LOG5[ui]: FIPS mode disabled 
2021.12.20 19:02:25 LOG7[ui]: Compression disabled 
2021.12.20 19:02:25 LOG7[ui]: No PRNG seeding was required 
2021.12.20 19:02:25 LOG6[ui]: Initializing service [pop3s] 
2021.12.20 19:02:25 LOG6[ui]: stunnel default security level set: 2 
2021.12.20 19:02:25 LOG7[ui]: Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK 
2021.12.20 19:02:25 LOG7[ui]: TLSv1.3 ciphersuites: TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256 
2021.12.20 19:02:25 LOG7[ui]: TLS options: 0x02100004 (+0x00000000, -0x00000000) 
2021.12.20 19:02:25 LOG6[ui]: Loading certificate from file: /etc/apache2/ssl.crt/mykey.com.crt 
2021.12.20 19:02:25 LOG6[ui]: Certificate loaded from file: /etc/apache2/ssl.crt/mykey.com.crt 
2021.12.20 19:02:25 LOG6[ui]: Loading private key from file: /etc/apache2/ssl.key/mykey.com.key 
2021.12.20 19:02:25 LOG6[ui]: Private key loaded from file: /etc/apache2/ssl.key/mykey.com.key 
2021.12.20 19:02:25 LOG7[ui]: Private key check succeeded 
2021.12.20 19:02:25 LOG6[ui]: DH initialization skipped: no DH ciphersuites 
2021.12.20 19:02:25 LOG7[ui]: ECDH initialization 
2021.12.20 19:02:25 LOG7[ui]: ECDH initialized with curves X25519:P-256:X448:P-521:P-384 
2021.12.20 19:02:25 LOG5[ui]: Configuration successful 
2021.12.20 19:02:25 LOG7[ui]: Deallocating deployed section defaults 
2021.12.20 19:02:25 LOG7[ui]: Binding service [pop3s] 
2021.12.20 19:02:25 LOG7[ui]: Listening file descriptor created (FD=9) 
2021.12.20 19:02:25 LOG7[ui]: Setting accept socket options (FD=9) 
2021.12.20 19:02:25 LOG7[ui]: Option SO_REUSEADDR set on accept socket 
2021.12.20 19:02:25 LOG6[ui]: Service [pop3s] (FD=9) bound to 0.0.0.0:995 
2021.12.20 19:02:25 LOG5[ui]: Switched to chroot directory: /var/lib/stunnel/ 
2021.12.20 19:02:25 LOG7[main]: Created pid file /var/run/stunnel.pid 
2021.12.20 19:02:25 LOG7[cron]: Cron thread initialized 
2021.12.20 19:02:25 LOG6[cron]: Executing cron jobs 
2021.12.20 19:02:25 LOG6[cron]: Cron jobs completed in 0 seconds 
2021.12.20 19:02:25 LOG7[cron]: Waiting 86400 seconds
[/FONT]

An this is in the client when connecting

fernando@aldebaran:~> fetchmail -vvv 
Old UID list from elemariamoliner.com: 
 <empty> 

Scratch list of UIDs: 
 <empty> 

fetchmail: 6.4.22 querying mydomain.com (protocol POP3) at lun 20 dic 2021 19:04:36 CET: poll started 
Trying to connect to 217.x.x.x/995...connected. 
fetchmail: SSL verify callback depth 0: preverify_ok == 0, err = 20, unable to get local issuer certificate 
fetchmail: Server certificate: 
fetchmail: Issuer Organization: Sectigo Limited 
fetchmail: Issuer CommonName: Sectigo RSA Domain Validation Secure Server CA 
fetchmail: Subject CommonName: mydomain.com 
fetchmail: Subject Alternative Name: emydomain.com 
fetchmail: Subject Alternative Name: www.mydomain.com 
fetchmail: mydomain.com key fingerprint: 12:87:9A:F5:8C:4D:A2:E3:DA:EC:99:6B:CE:91:6F:DF 
fetchmail: mydomain.com fingerprints match. 
fetchmail: Server certificate verification error: unable to get local issuer certificate 
fetchmail: Broken certification chain at: /C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA 
fetchmail: This could mean that the server did not provide the intermediate CA's certificate(s), which is nothing fetchmail could do anything about.  For details, please see the 
README.SSL-SERVER document that ships with fetchmail. 
fetchmail: This could mean that the root CA's signing certificate is not in the trusted CA certificate location, or that c_rehash needs to be run on the certificate directory. Fo
r details, please see the documentation of --sslcertpath and --sslcertfile in the manual page. See README.SSL for details. 
fetchmail: OpenSSL reported: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed 
fetchmail: mydomain.com: SSL connection failed. 
fetchmail: socket error while fetching from someone@mydomain.com 
fetchmail: 6.4.22 querying mydomain.com (protocol POP3) at lun 20 dic 2021 19:04:36 CET: poll completed 
Merged UID list from mydomain.com: 
 <empty> 
fetchmail: Query status=2 (SOCKET) 
fetchmail: normal termination, status 2 
fernando@aldebaran:~>

And in the server

2021.12.20 19:04:36 LOG7[main]: Found 1 ready file descriptor(s) 
2021.12.20 19:04:36 LOG7[main]: FD=4 events=0x2001 revents=0x0 
2021.12.20 19:04:36 LOG7[main]: FD=9 events=0x2001 revents=0x1 
2021.12.20 19:04:36 LOG7[main]: Service [pop3s] accepted (FD=3) from x.x.x.x:55306 
2021.12.20 19:04:36 LOG7[0]: Service [pop3s] started 
2021.12.20 19:04:36 LOG7[0]: Setting local socket options (FD=3) 
2021.12.20 19:04:36 LOG7[0]: Option TCP_NODELAY set on local socket 
2021.12.20 19:04:36 LOG5[0]: Service [pop3s] accepted connection from x.x.x.x:55306 
2021.12.20 19:04:36 LOG6[0]: Peer certificate not required 
2021.12.20 19:04:36 LOG7[0]: TLS state (accept): before SSL initialization 
2021.12.20 19:04:36 LOG7[0]: TLS state (accept): before SSL initialization 
2021.12.20 19:04:36 LOG7[0]: Initializing application specific data for session authenticated 
2021.12.20 19:04:36 LOG7[0]: SNI: no virtual services defined 
2021.12.20 19:04:36 LOG7[0]: TLS state (accept): SSLv3/TLS read client hello 
2021.12.20 19:04:36 LOG7[0]: TLS state (accept): SSLv3/TLS write server hello 
2021.12.20 19:04:36 LOG7[0]: TLS state (accept): SSLv3/TLS write change cipher spec 
2021.12.20 19:04:36 LOG7[0]: TLS state (accept): TLSv1.3 write encrypted extensions 
2021.12.20 19:04:36 LOG7[0]: TLS state (accept): SSLv3/TLS write certificate 
2021.12.20 19:04:36 LOG7[0]: TLS state (accept): TLSv1.3 write server certificate verify 
2021.12.20 19:04:36 LOG7[0]: TLS state (accept): SSLv3/TLS write finished 
2021.12.20 19:04:36 LOG7[0]: TLS state (accept): TLSv1.3 early data 
2021.12.20 19:04:36 LOG7[0]: TLS alert (read): fatal: unknown CA 
2021.12.20 19:04:36 LOG3[0]: SSL_accept: ssl/record/rec_layer_s3.c:1544: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca 
2021.12.20 19:04:36 LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 
2021.12.20 19:04:36 LOG7[0]: Deallocating application specific data for session connect address 
2021.12.20 19:04:36 LOG7[0]: Local descriptor (FD=3) closed 
2021.12.20 19:04:36 LOG7[0]: Service [pop3s] finished (0 left) 
2021.12.20 19:05:01 LOG7[main]: Found 1 ready file descriptor(s) 
2021.12.20 19:05:01 LOG7[main]: FD=4 events=0x2001 revents=0x0 
2021.12.20 19:05:01 LOG7[main]: FD=9 events=0x2001 revents=0x1 
2021.12.20 19:05:01 LOG7[main]: Service [pop3s] accepted (FD=3) from x.x.x.x:55324 
2021.12.20 19:05:01 LOG7[1]: Service [pop3s] started 
2021.12.20 19:05:01 LOG7[1]: Setting local socket options (FD=3) 
2021.12.20 19:05:01 LOG7[1]: Option TCP_NODELAY set on local socket 
2021.12.20 19:05:01 LOG5[1]: Service [pop3s] accepted connection from x.x.x.x:55324 
2021.12.20 19:05:01 LOG6[1]: Peer certificate not required 
2021.12.20 19:05:01 LOG7[1]: TLS state (accept): before SSL initialization 
2021.12.20 19:05:01 LOG7[1]: TLS state (accept): before SSL initialization 
2021.12.20 19:05:01 LOG7[1]: Initializing application specific data for session authenticated 
2021.12.20 19:05:01 LOG7[1]: SNI: no virtual services defined 
2021.12.20 19:05:01 LOG7[1]: TLS state (accept): SSLv3/TLS read client hello 
2021.12.20 19:05:01 LOG7[1]: TLS state (accept): SSLv3/TLS write server hello 
2021.12.20 19:05:01 LOG7[1]: TLS state (accept): SSLv3/TLS write change cipher spec 
2021.12.20 19:05:01 LOG7[1]: TLS state (accept): TLSv1.3 write encrypted extensions 
2021.12.20 19:05:01 LOG7[1]: TLS state (accept): SSLv3/TLS write certificate 
2021.12.20 19:05:01 LOG7[1]: TLS state (accept): TLSv1.3 write server certificate verify 
2021.12.20 19:05:01 LOG7[1]: TLS state (accept): SSLv3/TLS write finished 
2021.12.20 19:05:01 LOG7[1]: TLS state (accept): TLSv1.3 early data 
2021.12.20 19:05:01 LOG7[1]: TLS alert (read): fatal: unknown CA 
2021.12.20 19:05:01 LOG3[1]: SSL_accept: ssl/record/rec_layer_s3.c:1544: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca 
2021.12.20 19:05:01 LOG5[1]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket 
2021.12.20 19:05:01 LOG7[1]: Deallocating application specific data for session connect address 
2021.12.20 19:05:01 LOG7[1]: Local descriptor (FD=3) closed 
2021.12.20 19:05:01 LOG7[1]: Service [pop3s] finished (0 left)

The stunnel.conf file is


# Sample stunnel configuration file 
# Copyright by Michal Trojnara 2002-2004 
# --with changes for SuSE package 

# client = yes | no 
# client mode (remote service uses SSL) 
# default: no (server mode) 
client = no 

# 
# chroot + user (comment out to disable) 
# 
chroot = /var/lib/stunnel/ 
setuid = stunnel 
setgid = nogroup 
# note about the chroot feature and the "exec" keyword to start other services... 
# while the init script /etc/init.d/stunnel will copy the binaries and libraries  
# into the chroot jail, more files might be needed in the jail (configuration  
# files etc.) 

pid = /var/run/stunnel.pid 

# 
# debugging 
# 
debug = 7 
output = /var/log/stunnel.log 

# 
# Some performance tunings 
# 
# disable Nagle algorithm (a.k.a. tinygram prevention, see man 7 tcp) 
socket = l:TCP_NODELAY=1 
socket = r:TCP_NODELAY=1 
#compression = rle 

# Workaround for Eudora bug 
#options = DONT_INSERT_EMPTY_FRAGMENTS 

# Authentication stuff 
#verify = 2 
# Don't forget to c_rehash CApath;  CApath is located inside chroot jail: 
#CApath = /certs 
# It's often easier to use CAfile: 
#CAfile = /etc/stunnel/certs.pem 
# Don't forget to c_rehash CRLpath;  CRLpath is located inside chroot jail: 
#CRLpath = /crls 
# Alternatively you can use CRLfile: 
#CRLfile = /etc/stunnel/crls.pem 

#cert = /etc/stunnel/stunnel.pem 
cert = /etc/apache2/ssl.crt/mykey.crt 
key =  /etc/apache2/ssl.key/mykey.com.key

I have seen in this file the warning # Don’t forget to c_rehash CApath; CApath is located inside chroot jail:
#CApath = /certs

but there is no certs in /var/lib/stunnel

**tutatis:/etc/stunnel #** ls /var/lib/stunnel 
**bin**** dev**** etc**** lib64**** sbin ****var**
**tutatis:/etc/stunnel #**

I’m using the certs from outside the chroot, but it does not seem to be a problem… I don’t know why.

It seems to complain about some CA certificate
What am I missing?

nrickert · December 20, 2021, 8:27pm

It isn’t clear what you are doing.

If you are using “stunnel” for pop3, then why is “fetchmail” dealing with certificates. Shouldn’t “stunnel” be handling that?

My experience – fetchmail stopped working after the recent update. This is with ssl. It used to complain about the certificates but continue anyway. Now it complains about certificates and refuses to work.

I had to add to the entry in “.fetchmailrc”

ssl no sslcertck sslfingerprint "XX:XX:..."

to get it working again.

arvidjaar · December 20, 2021, 9:01pm

fperal:

Trying to connect to 217.x.x.x/995...connected. 
fetchmail: SSL verify callback depth 0: preverify_ok == 0, err = 20, unable to get local issuer certificate 
fetchmail: Server certificate: 
fetchmail: Issuer Organization: Sectigo Limited 
fetchmail: Issuer CommonName: Sectigo RSA Domain Validation Secure Server CA 
fetchmail: Subject CommonName: mydomain.com 
fetchmail: Subject Alternative Name: emydomain.com 
fetchmail: Subject Alternative Name: www.mydomain.com 
fetchmail: mydomain.com key fingerprint: 12:87:9A:F5:8C:4D:A2:E3:DA:EC:99:6B:CE:91:6F:DF 
fetchmail: mydomain.com fingerprints match. 
fetchmail: Server certificate verification error: unable to get local issuer certificate 
fetchmail: Broken certification chain at: /C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA

And what exactly is not clear here? Check your server certificate, check whether all intermediate certificates are valid and present. If you want someone else to do it for you, show actual IP address and not xxx.

fperal · December 21, 2021, 10:26am

Yes, that was what I thought, but suddenly fetchmail stopped working

My experience – fetchmail stopped working after the recent update. This is with ssl. It used to complain about the certificates but continue anyway. Now it complains about certificates and refuses to work.

I had to add to the entry in “.fetchmailrc”

ssl no sslcertck sslfingerprint "XX:XX:..."

to get it working again.

Yes, that was my problem too, and adding the no sslcertck has solved it.
Thanks