I use fetchmail on my home server to retrieve email from my ISP and several gmail accounts. I run an IMAP server on my home server. I’ve been doing this for years with no issues. Yesterday I upgraded from Fedora 43 to Fedora 44. I noticed that fetchmail is reporting an error in the logs:
Apr 27 11:24:40 redwood fetchmail[237800]: reading message username@pop.gmail.com:1 of 1 (5853 octets) (log message incomplete) Apr 27 11:24:40 redwood fetchmail[237800]: Server certificate verification error: hostname mismatch Apr 27 11:24:40 redwood fetchmail[237800]: Warning: the connection is insecure, continuing anyways. (Better use --sslcertck!)
(Replaced the actual user name with “username”.)
I ran into a similar ssl cert issue with postfix which I was able to correct. It had been using the file /etc/pki//tls/certs/ca-bundle.crt. After the upgrade, this file was missing. A bit of googling revealed that things had moved to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem . I was able to alter the postfix config to point to the new location. However, everything I’ve tried with fetchmail to point it to the new location has failed. I tried using the sslcertfile and sslcertpath options in the fetchmailrc file but nothing worked. Note that fetchmail is continuing to retrieve the mail but in an insecure mode. I’d just like to clean up the error and keep the connection secure.
I’m not totally sure but for now I assume it’s my server. There are no certificates I created or obtained for fetchmail. Any certs it uses would come with the system. Apparently Fedora 44 change a bunch of stuff with the locations of the certs it supplies with the package
ca-certificates-2025.2.80_v9.0.304-7.fc44.noarch. I’ve found a discussion in reddit with people complaining about this but for other reasons than fetchmail.
Problem Solved! Thanks for the suggestion of increasing the verbosity.
I do have my own SSL cert that I use on my web site. I get that from Let’s Encrypt. I use the same cert for postfix and dovecot (my IMAP software). Turns out the error I was seeing was not when fetchmail connected with the remote server but when it connected with my local postfix. The cert is for either www.dennett.org or dennett.org. I also name my server redwood or redwood.dennett.org and fetchmail was configured to connect to redwood.dennett.org. Not the name on my cert which is what was throwing the error.
Simple fix. I changed fetchmail to connect locally to dennett.org which agreed with the cert and the error went away. Too many names for the same server and I got bit.
Now, why I never saw this error before is a mystery. Maybe they plugged up some security hole with Fedora 44.