Re: [msmtp-users] Fingerprints do not match error-how to fix?

[grarpamp <grarpamp@...20...>]

On Sun, Jan 24, 2016 at 3:43 PM, John Hudak <jjhudak@...20...> wrote:
> I installed msmtp on opensuse 13.2 using yast from the package repositiory.
> tls_trust_file /etc/ssl/certs/ca-certificates.crt

If that's suse's big global ca file, it may be old, inspect and try...
https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt

> cannot load trust file /etc/ssl/certs/ca-certificates.crt:
> error:2D06C06E:FIPS routines:FIPS_module_mode_set:fingerprint does not match

I don't recall that specific error but google uses an intermediate
private ca that probably isn't in that global set, get it from the
gmail server cert. See...
openssl s_client -connect | openssl x509 -text

> If I comment out the line and add tls_certcheck off, the program appears to
> work, e.g. I get mail at gmail.

Pinning down the fingerprint is needed for better security, theirs
changes often.
And you want narrow per server configs so you don't end up trusting the
whole global set in the trust file.

Also useful...
openssl verify
https://github.com/agl/extract-nss-root-certs

> So, I am a novice at cert mgmt, how can this be fixed?

Search around on the commands above in order to
validate your cert chain.