Changing Gmail SSL certificate

I was curious why I couldn’t fetch my mail to my laptop from Google’s gmail service, when it has been promptly dropping my mail onto my Blackberry. I tried running the 'fetchmail' command manually where I was greeted with the following message:

fetchmail: pop.gmail.com fingerprints do not match! 
9203:error:14090086:SSL 
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:894: 
fetchmail: SSL connection failed. 
fetchmail: socket error while fetching from 
[my email]@pop.gmail.com 
fetchmail: Query status=2 (SOCKET)

Seems like Gmail has changed their certificates! The way in solving the problem is to pull the new certificate and update the MD5 key in .fetchmailrc:

% openssl s_client -connect smtp.gmail.com:995 -showcerts
CONNECTED(00000004)
depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
-----BEGIN CERTIFICATE-----
MIIC3TCCAkagAwIBAgIDCDijMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDcxMDI1MTc1MzE2WhcNMDkxMjI0MTg1MzE2
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMN
TW91bnRhaW4gVmlldzEUMBIGA1UEChMLR29vZ2xlIEluYy4xFjAUBgNVBAMTDXBv
cC5nbWFpbC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAO03QxerFKZV
8yeomuL4zSl8Pr7hMWnKMMgp/CwhwadeBmL0LQHHbjL/6z/Z59ZQvrztqkwhchA2
APKzUwRVTyn7Shx6vBqk6oFmTqoOLmY6hbq6l8uVdUv0AfbHwio8CnLpK2+nbuFl
flPwx1DH0E3grD8+CrH5SmScfTWbDkcXAgMBAAGjga4wgaswDgYDVR0PAQH/BAQD
AgTwMB0GA1UdDgQWBBTJRG/OFpZt+BV43JM3NshHMjpwazA6BgNVHR8EMzAxMC+g
LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDAf
BgNVHSMEGDAWgBRI5mj5K9KylddH2CMgEE8zmJCf1DAdBgNVHSUEFjAUBggrBgEF
BQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADgYEAOKr3mhxtwFCS3J6lbeaf
3KrHKi935BZkI75sRbON+hog0t2ovcM2i7fxs3xneH8USLsHgfxNBj9tkMogMK/K
sO/NUVZ/IfyqcNNkp2619qTQXthKRH42JKpAKgNhT1bdno3pxn+eDEpqmU3CE7IP
HDCjWOK1fGkZ/yFAuTxuxAc=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com
issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
No client certificate CA names sent
---
SSL handshake has read 891 bytes and written 314 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DES-CBC3-SHA
    Session-ID: BEE4859291CC8325784BE44785F2F705D47CD462B0A5ADC98B62A86A1851B41E
    Session-ID-ctx: 
    Master-Key: 4E085FD56B0A36C4C278C7250BC1D5BC144CE8E7CF979D07086AA1D5E7C40D64DB76285057E16EAD027F789B9B0E1D84
    Key-Arg   : None
    Start Time: 1194725790
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
+OK Gpop ready for requests from [MY IP ADDRESS]

Copy the part coloured in red into a new file, e.g. '/etc/ssl/certs/new_gmail.pem' and then you have to recreate the symbolic links for their hash value, before generating the MD5 checksum to update in .fetchmailrc:

% c_rehash /etc/ssl/certs
... lots of other output ...
new_gmail.pem => 7f549ca4.0

% openssl x509 -fingerprint -md5 -noout -in new_gmail.pem
MD5 Fingerprint=44:A8:E9:2C:FB:A9:7E:6D:F9:DB:F3:62:B2:9E:F1:A9

Replace the old hash with the new hash value in .fetchmailrc, given in my example here:

poll pop.gmail.com with proto POP3
    auth password user "myusername" there with password "mypassword" is vince here
    options keep no fetchall sslcertck
#        options keep ssl sslfingerprint '59:51:61:89:CD:DD:B2:35:94:BB:44:97:A0:39:D5:B4'
        options keep ssl sslfingerprint '44:A8:E9:2C:FB:A9:7E:6D:F9:DB:F3:62:B2:9E:F1:A9'

Replace the old line in blue with the new MD5 checksum as shown above. Fetchmail should resume working now!

#Linux