Hello,
Just to add that Thawte has changed the certificat chain with wildcard
certificate. Now, there is a new intermediate CA that you have to add in
the chain.
So, if you are in a case of certificate renewal, it can be "normal" that
the old process you've used last time didn't work for now.
eu...@mail2.infochem.de wrote:
On Wed, Oct 19, 2011 at 02:56:59PM +0000, Viktor Dukhovni wrote:
Not entirely, you configured only the leaf server cert, and did
not also configure the intermediate CA cert (which should be appended
to your cert.pem file).
Thanks for catching it -- I obviously don't really know what I'm doing.
I've appended the cert, and now am getting
$ openssl s_client -starttls smtp -showcerts -connect mail2.infochem.de:25
CONNECTED(00000003)
depth=1 /C=US/O=Thawte, Inc./CN=Thawte SSL CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=DE/ST=Bayern/L=Muenchen/O=InfoChem Gesellschaft fuer chemische
Information mbH/CN=*.infochem.de
i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
-----BEGIN CERTIFICATE-----
MIID8DCCAtigAwIBAgIQTpsvOpahvRBTxcfA7z9rxDANBgkqhkiG9w0BAQUFADA8
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMuMRYwFAYDVQQDEw1U
aGF3dGUgU1NMIENBMB4XDTEwMTIxMzAwMDAwMFoXDTEyMTIxMjIzNTk1OVowgYgx
CzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCYXllcm4xETAPBgNVBAcUCE11ZW5jaGVu
MT0wOwYDVQQKFDRJbmZvQ2hlbSBHZXNlbGxzY2hhZnQgZnVlciBjaGVtaXNjaGUg
SW5mb3JtYXRpb24gbWJIMRYwFAYDVQQDFA0qLmluZm9jaGVtLmRlMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAthrw6kB91Kvfd9e26NSKM5euPpO7pCgV
BwOYBT3wxr1pnUGndzb8dXsFEFEsFhQNoLbVhCsIbpWiuNeDr3bljSom03jhpJ+K
MFDwB0Fd/7Ba6IezNwmqQnhTRGjI1rRkYBwwmybVZ3dYaUzVyQ6MctDJgiMGFXOg
62lKPUidL2llplv3P0vZWl8/9S4z5CGSVXvXBPE/d2k/J3LDG+Js294fCJCklXOJ
67LG8ZLDRbRQu3rsXmVcF7AGK7RsC0vYq6X6BF6IbO59DY3XJxoiHq4ZxLyqTcyO
x7MKDRGuIt715qOiHK5dDSx9Qh8Hi+Mkzf1xFgDz3a0OyXsRIXsr3QIDAQABo4Gg
MIGdMAwGA1UdEwEB/wQCMAAwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL3N2ci1v
di1jcmwudGhhd3RlLmNvbS9UaGF3dGVPVi5jcmwwHQYDVR0lBBYwFAYIKwYBBQUH
AwEGCCsGAQUFBwMCMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDov
L29jc3AudGhhd3RlLmNvbTANBgkqhkiG9w0BAQUFAAOCAQEATDOHEzuuHq629yAr
EtwaeMyVy12s9hIkgRmlnXL3X5E7uzUqTf+6uehTIi6Ri7s2oS8OpP0oLAp/OC8l
4e8KhVPe+RUObgiLp1HQpZoNXQCMGpOx1FrXJ6sN/XBllPfIaHpUGmM7CabGEgYu
ATnt8hI4tzpgcnxzJmg9ipiGznsFS4HwqJN+p4+WM4L24OIsIxwT90t70MzVgxsf
CcQvkpkUSzA1jcCzjUBzZqB55s0NlEdhojS5dAdMqZGS4ZrtqGvIXT+0ajDoLexp
Gkxw7Q7F9K4fsJCGRPVdM3/MNE3DRLY/4EQ7EFLfr8e8HR1PzAryiEKMkJHcZUM9
6N0dCg==
-----END CERTIFICATE-----
1 s:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006
thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
-----BEGIN CERTIFICATE-----
MIIEbDCCA1SgAwIBAgIQTV8sNAiyTCDNbVB+JE3J7DANBgkqhkiG9w0BAQUFADCB
qTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf
Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIw
MDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNV
BAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwHhcNMTAwMjA4MDAwMDAwWhcNMjAw
MjA3MjM1OTU5WjA8MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMu
MRYwFAYDVQQDEw1UaGF3dGUgU1NMIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAmeSFW3ZJfS8F2MWsyMip09yY5tc0pi8M8iIm2KPJFEyPBaRF6BQM
WJAFGrfFwQalgK+7HUlrUjSIw1nn72vEJ0GMK2Yd0OCjl5gZNEtB1ZjVxwWtouTX
7QytT8G1sCH9PlBTssSQ0NQwZ2ya8Q50xMLciuiX/8mSrgGKVgqYMrAAI+yQGmDD
7bs6yw9jnw1EyVLhJZa/7VCViX9WFLG3YR0cB4w6LPf/gN45RdWvGtF42MdxaqMZ
pzJQIenyDqHGEwNESNFmqFJX1xG0k4vlmZ9d53hR5U32t1m0drUJN00GOBN6HAiY
XMRISstSoKn4sZ2Oe3mwIC88lqgRYke7EQIDAQABo4H7MIH4MDIGCCsGAQUFBwEB
BCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL29jc3AudGhhd3RlLmNvbTASBgNVHRMB
Af8ECDAGAQH/AgEAMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwudGhhd3Rl
LmNvbS9UaGF3dGVQQ0EuY3JsMA4GA1UdDwEB/wQEAwIBBjAoBgNVHREEITAfpB0w
GzEZMBcGA1UEAxMQVmVyaVNpZ25NUEtJLTItOTAdBgNVHQ4EFgQUp6KDuzRFQD38
1TBPErk+oQGf9tswHwYDVR0jBBgwFoAUe1tFz6/Oy3r9MZIaarbzRutXSFAwDQYJ
KoZIhvcNAQEFBQADggEBAIAigOBsyJUW11cmh/NyNNvGclYnPtOW9i4lkaU+M5en
S+Uv+yV9Lwdh+m+DdExMU3IgpHrPUVFWgYiwbR82LMgrsYiZwf5Eq0hRfNjyRGQq
2HGn+xov+RmNNLIjv8RMVR2OROiqXZrdn/0Dx7okQ40tR0Tb9tiYyLL52u/tKVxp
EvrRI5YPv5wN8nlFUzeaVi/oVxBw9u6JDEmJmsEj9cIqzEHPIqtlbreUgm0vQF9Y
3uuVK6ZyaFIZkSqudZ1OkubK3lTqGKslPOZkpnkfJn1h7X3S5XFV2JMXfBQ4MDzf
huNMrUnjl1nOG5srztxl1Asoa06ERlFE9zMILViXIa4=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=DE/ST=Bayern/L=Muenchen/O=InfoChem Gesellschaft fuer chemische
Information mbH/CN=*.infochem.de
issuer=/C=US/O=Thawte, Inc./CN=Thawte SSL CA
---
No client certificate CA names sent
---
SSL handshake has read 3082 bytes and written 366 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 48039E609473BB327D2C37180D7FD5B69C23D0819EE0E1EF6D9D6046CA75BE18
Session-ID-ctx:
Master-Key:
9390E8DCF57B06BF51D4E3A4EDF884DE5FB015C2A93B81E3CD103A8C4203A9D962808E1C48082E955C84C39530F3D07D
Key-Arg : None
Start Time: 1319040752
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
250 DSN
The issuer: /C=US/O=Thawte, Inc./CN=Thawte SSL CA
is not a root CA. Probably the missing intermediate is something like:
http://ait.its.psu.edu/services/identity-access-management/identity/webaccess/Thawte-SSL-CA.txt
Here's what I see:
$ openssl s_client -starttls smtp -showcerts -connect mail2.infochem.de:25
depth=0 C = DE, ST = Bayern, L = Muenchen, O = InfoChem Gesellschaft fuer
chemische Information mbH, CN = *.infochem.de
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = DE, ST = Bayern, L = Muenchen, O = InfoChem Gesellschaft fuer
chemische Information mbH, CN = *.infochem.de
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = DE, ST = Bayern, L = Muenchen, O = InfoChem Gesellschaft fuer
chemische Information mbH, CN = *.infochem.de
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=DE/ST=Bayern/L=Muenchen/O=InfoChem Gesellschaft fuer chemische
Information mbH/CN=*.infochem.de
i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
-----BEGIN CERTIFICATE-----
MIID8DCCAtigAwIBAgIQTpsvOpahvRBTxcfA7z9rxDANBgkqhkiG9w0BAQUFADA8
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMuMRYwFAYDVQQDEw1U
aGF3dGUgU1NMIENBMB4XDTEwMTIxMzAwMDAwMFoXDTEyMTIxMjIzNTk1OVowgYgx
CzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZCYXllcm4xETAPBgNVBAcUCE11ZW5jaGVu
MT0wOwYDVQQKFDRJbmZvQ2hlbSBHZXNlbGxzY2hhZnQgZnVlciBjaGVtaXNjaGUg
SW5mb3JtYXRpb24gbWJIMRYwFAYDVQQDFA0qLmluZm9jaGVtLmRlMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAthrw6kB91Kvfd9e26NSKM5euPpO7pCgV
BwOYBT3wxr1pnUGndzb8dXsFEFEsFhQNoLbVhCsIbpWiuNeDr3bljSom03jhpJ+K
MFDwB0Fd/7Ba6IezNwmqQnhTRGjI1rRkYBwwmybVZ3dYaUzVyQ6MctDJgiMGFXOg
62lKPUidL2llplv3P0vZWl8/9S4z5CGSVXvXBPE/d2k/J3LDG+Js294fCJCklXOJ
67LG8ZLDRbRQu3rsXmVcF7AGK7RsC0vYq6X6BF6IbO59DY3XJxoiHq4ZxLyqTcyO
x7MKDRGuIt715qOiHK5dDSx9Qh8Hi+Mkzf1xFgDz3a0OyXsRIXsr3QIDAQABo4Gg
MIGdMAwGA1UdEwEB/wQCMAAwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL3N2ci1v
di1jcmwudGhhd3RlLmNvbS9UaGF3dGVPVi5jcmwwHQYDVR0lBBYwFAYIKwYBBQUH
AwEGCCsGAQUFBwMCMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDov
L29jc3AudGhhd3RlLmNvbTANBgkqhkiG9w0BAQUFAAOCAQEATDOHEzuuHq629yAr
EtwaeMyVy12s9hIkgRmlnXL3X5E7uzUqTf+6uehTIi6Ri7s2oS8OpP0oLAp/OC8l
4e8KhVPe+RUObgiLp1HQpZoNXQCMGpOx1FrXJ6sN/XBllPfIaHpUGmM7CabGEgYu
ATnt8hI4tzpgcnxzJmg9ipiGznsFS4HwqJN+p4+WM4L24OIsIxwT90t70MzVgxsf
CcQvkpkUSzA1jcCzjUBzZqB55s0NlEdhojS5dAdMqZGS4ZrtqGvIXT+0ajDoLexp
Gkxw7Q7F9K4fsJCGRPVdM3/MNE3DRLY/4EQ7EFLfr8e8HR1PzAryiEKMkJHcZUM9
6N0dCg==
-----END CERTIFICATE-----
--
Viktor.
