On Mon, 13 Sep 2010, Chris wrote: > Be careful you are not checking the web server from a browser that has > the intermediate certificate installed.
I initially installed just the new cert on the web server, and the web browsers were generating cert security errors. I then went back and added the SSLCACertificateFile directive and the intermediate certs on the server; at that point the web browsers were happy. This leads me to believe the web server is correctly configured. > openssl s_client -verify 10 -CAfile thawte_root_cert.pem -connect > strategic.wiki.csupomona.edu:443 I had output from a similar command in my initial email without the verify option, it still fails with it: ------------------------------------------------------------------------- $ openssl s_client -verify 10 -CAfile /etc/ssl/certs/Thawte_Premium_Server_CA.pem -connect strategic.wiki.csupomona.edu:443 verify depth is 10 CONNECTED(00000003) depth=0 /C=US/ST=California/L=Pomona/O=California State Polytechnic University, Pomona/OU=I(ampersand)IT Systems/CN=strategic.wiki.csupomona.edu verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=US/ST=California/L=Pomona/O=California State Polytechnic University, Pomona/OU=I(ampersand)IT Systems/CN=strategic.wiki.csupomona.edu verify error:num=27:certificate not trusted verify return:1 depth=0 /C=US/ST=California/L=Pomona/O=California State Polytechnic University, Pomona/OU=I(ampersand)IT Systems/CN=strategic.wiki.csupomona.edu verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=US/ST=California/L=Pomona/O=California State Polytechnic University, Pomona/OU=I(ampersand)IT Systems/CN=strategic.wiki.csupomona.edu i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA --- Server certificate -----BEGIN CERTIFICATE----- [...] ------------------------------------------------------------------------- gnutls-client on the same box works fine, listing the entire certificate chain: ------------------------------------------------------------------------- $ gnutls-cli --x509cafile /etc/ssl/certs/Thawte_Premium_Server_CA.pem strategic.wiki.csupomona.edu -p 443 Processed 1 CA certificate(s). Resolving 'strategic.wiki.csupomona.edu'... Connecting to '134.71.247.55:443'... - Ephemeral Diffie-Hellman parameters - Using prime: 1024 bits - Secret key: 1023 bits - Peer's public key: 1024 bits - Certificate type: X.509 - Got a certificate list of 3 certificates. - Certificate[0] info: - subject `C=US,ST=California,L=Pomona,O=California State Polytechnic University\, Pomona,OU=I(ampersand)IT Systems,CN=strategic.wiki.csupomona.edu', issuer `C=US,O=Thawte\, Inc.,CN=Thawte SSL CA', RSA key 2048 bits, signed using RSA-SHA1, activated `2010-09-10 00:00:00 UTC', expires `2011-09-10 23:59:59 UTC', SHA-1 fingerprint `57292bcd7541c56c7b664705f0192b43a927056c' - Certificate[1] info: - subject `C=US,O=Thawte\, Inc.,CN=Thawte SSL CA', issuer `C=US,O=thawte\, Inc.,OU=Certification Services Division,OU=(c) 2006 thawte\, Inc. - For authorized use only,CN=thawte Primary Root CA', RSA key 2048 bits, signed using RSA-SHA1, activated `2010-02-08 00:00:00 UTC', expires `2020-02-07 23:59:59 UTC', SHA-1 fingerprint `73e42686657aece354fbf685712361658f2f4357' - Certificate[2] info: - subject `C=US,O=thawte\, Inc.,OU=Certification Services Division,OU=(c) 2006 thawte\, Inc. - For authorized use only,CN=thawte Primary Root CA', issuer `C=ZA,ST=Western Cape,L=Cape Town,O=Thawte Consulting cc,OU=Certification Services Division,CN=Thawte Premium Server CA,email=premium-ser...@thawte.com', RSA key 2048 bits, signed using RSA-SHA1, activated `2006-11-17 00:00:00 UTC', expires `2020-12-30 23:59:59 UTC', SHA-1 fingerprint `1fa490d1d4957942cd23545f6e823d0000796ea2' - The hostname in the certificate matches 'strategic.wiki.csupomona.edu'. - Peer's certificate is trusted ------------------------------------------------------------------------- As far as I can tell the web server is configured correctly, as web browsers and gnutls are happy with it. It's just openssl and applications that use it that seem to be failing for reasons I haven't determined. Thanks... -- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ Operating Systems and Network Analyst | hen...@csupomona.edu California State Polytechnic University | Pomona CA 91768 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
