Fetchmail and Server certificate verification error: unable to get local issuer certificate

Question

ok, this familiar question, not sure what I am missing to still get the local issuer certificate as when I ran the check with openssl I got success. I was under the impression all I needed was the Global CA certificate (the openssl shows that it is all valid and acceptable)

Thanks!

running fetchmail with:

fetchmail -v -v -d 473 --syslog --nobounce --sslcertpath /home/bloggs/certs -f /home/bloggs/fetchmailrc

/home/bloggs/certs contains

lrwxrwxrwx   1           10 Aug  8 12:57 3513523f.0 -> CAROOT.pem
-rw-------   1          1338 Aug  8 08:51 CAROOT.pem

With openssl:

/usr/local/ssl/bin/openssl s_client -CApath /home/bloggs/certs -connect outlook.office365.com:995

outputs this:

CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert Cloud Services CA-1
verify return:1
depth=0 C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = outlook.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=outlook.com
   i:/C=US/O=DigiCert Inc/CN=DigiCert Cloud Services CA-1
 1 s:/C=US/O=DigiCert Inc/CN=DigiCert Cloud Services CA-1
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
...snip...
etc, etc, etc
...snip...  
Key-Arg   : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1533743966
Timeout   : 300 (sec)
Verify return code: 0 (ok)
---

However, Fetchmail writes this to the mail log

Old UID list from outlook.office365.com: <empty>
Scratch list of UIDs: <empty>
6.3.26 querying outlook.office365.com (protocol POP3) at Wed Aug 08 13:03:16 2018:poll started
Trying to connect to 180.163.18.8/995...connected.
Certificate chain, from root to peer, starting at depth 1:
Issuer Organization: DigiCert Inc
Issuer CommonName: DigiCert Global Root CA
Subject CommonName: DigiCert Cloud Services CA-1
Server certificate verification error: unable to get local issuer     certificate
Broken certification chain at: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
This could mean that the server did not provide the intermediate CA's certificate(s), which is nothing fetchmail could do anything about.  For details, please see the README.SSL-SERVER document that ships with fetchmail.
This could mean that the root CA's signing certificate is not in the trusted CA certificate location, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page.
Certificate at depth 1:
Issuer Organization: DigiCert Inc
Issuer CommonName: DigiCert Global Root CA
Subject CommonName: DigiCert Cloud Services CA-1
Server certificate verification error: certificate not trusted
Server certificate:
Issuer Organization: DigiCert Inc
Issuer CommonName: DigiCert Cloud Services CA-1
Subject CommonName: outlook.com
Subject Alternative Name: *.clo.footprintdns.com

Answer 1

I believe the problem was that fetchmail had been built against a differnt set of SSL library to the one I ran the openssl test with. I have rebuilt fetchmail against that same library 1.0.2n and everything works as expected:

Old UID list from outlook.office365.com: <empty>
Scratch list of UIDs: <empty>
6.3.26 querying outlook.office365.com (protocol POP3) at Sun Aug 12 14:12:56 2018: poll started
Trying to connect to 36.165.28.8/995...connected.
Certificate chain, from root to peer, starting at depth 2:
Issuer Organization: DigiCert Inc
Issuer CommonName: DigiCert Global Root CA
Subject CommonName: DigiCert Global Root CA
Certificate at depth 1:
Issuer Organization: DigiCert Inc
Issuer CommonName: DigiCert Global Root CA
Subject CommonName: DigiCert Cloud Services CA-1
Server certificate:
Issuer Organization: DigiCert Inc
Issuer CommonName: DigiCert Cloud Services CA-1
Subject CommonName: outlook.com
Subject Alternative Name: *.clo.footprintdns.com
Subject Alternative Name: *.nrb.footprintdns.com
Subject Alternative Name: *.hotmail.com
Subject Alternative Name: *.internal.outlook.com
Subject Alternative Name: *.live.com
Subject Alternative Name: *.office.com
Subject Alternative Name: *.office365.com
Subject Alternative Name: *.outlook.com
Subject Alternative Name: *.outlook.office365.com
Subject Alternative Name: attachment.outlook.live.net
Subject Alternative Name: attachment.outlook.office.net
Subject Alternative Name: attachment.outlook.officeppe.net
Subject Alternative Name: ccs.login.microsoftonline.com
Subject Alternative Name: ccs-sdf.login.microsoftonline.com
Subject Alternative Name: hotmail.com
Subject Alternative Name: mail.services.live.com
Subject Alternative Name: office365.com
Subject Alternative Name: outlook.com
Subject Alternative Name: outlook.office.com
Subject Alternative Name: substrate.office.com
Subject Alternative Name: substrate-sdf.office.com
outlook.office365.com key fingerprint: ###################################################
POP3< +OK The Microsoft Exchange POP3 service is ready. [###########################################################]
POP3> CAPA
POP3< +OK
POP3< TOP
POP3< UIDL
POP3< SASL PLAIN
POP3< USER
POP3< .
POP3> USER #######@################
POP3< +OK
POP3> PASS *
POP3< +OK User successfully logged on.
selecting or re-polling default folder
POP3> STAT
POP3< +OK 0 0
No mail for ######@###########at outlook.office365.com
POP3> QUIT
POP3< +OK Microsoft Exchange Server POP3 server signing off.
6.3.26 querying outlook.office365.com (protocol POP3) at Sun Aug 12 14:12:58 2018: poll completed
New UID list from outlook.office365.com: <empty>
not swapping UID lists, no UIDs seen this query
Query status=1 (NOMAIL)
sleeping at Sun Aug 12 14:12:58 2018 for 473 seconds