Indeed. Downloading the intermediate CA bundle from Thawte and installing it as a chain certificate file into Apache did the trick!
Thank you very much, Ron Arts Op 12 jan. 2011 om 05:17 heeft "Dave Thompson" <dthomp...@prinpay.com> het volgende geschreven: >> From: owner-openssl-us...@openssl.org On Behalf Of Ron Arts >> Sent: Tuesday, 11 January, 2011 17:52 > >> I just renewed my Thawte webserver certificate. This >> certicifate seems to work fine >> with various browsers I tried, but it curl, wget on CentOS >> 5.5 are not able to verify it: > <snip> >> I followed these instructions on the above page: >> >> o openssl s_client -connect xxxxx.com:443 |tee logfile >> o type "QUIT", followed by the "ENTER" key >> o The certificate will have "BEGIN CERTIFICATE" and "END >> CERTIFICATE" markers. > > That gets you the *server* (entity) cert, which is only useful > as a CAcert if the server cert is selfsigned, which yours isn't. > Yours is actually at level 3, under (according to FF 3.5) > C=US, O=Thawte, Inc., CN=Thawte SSL CA > C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) > 2006 thawte, Inc. - For authorized use only, CN=thawte Primary Root CA > > You need to either 1) put those *two* certs in your client cacert file > if not already there (OpenSSL always verifies the whole chain up to root) > or 2) have your server send the level2 cert as a 'chain' cert > AND put the level1 cert in your client cacert file if not already there > > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
