On 10/04/2015 07:03 AM, Yan Seiner wrote:
> I am trying to figure out what I have done wrong.
>
> I have a certificate from PositiveSSL for my email server. I have the
> root certificate and the intermediate certs installed in /etc/ssl/certs/.
>
> However, I still cannot verify my certificate. I can't figure out
> what I have done wrong. I've been wrestling with this for a long
> time, and I am out of ideas.
>
> I am not that familiar with ssl certs - they usually "just work". This
> one, however, is kicking my butt.
Never mind. I tried one more thing and it worked.
I concatenated my cert onto the bundle and used that.
cat mail_seiner_com.pem PositiveSSL.pem > mail_seiner_com_bundle.pem
I'm not sure why neither exim4 nor dovecot would accept my cert and then
a ca cert but rather wanted them all in one bundle.
It now validates correctly.
yan at yan-ThinkPad-W530:~$ openssl s_client -connect mail.seiner.com:587
-starttls smtp -CApath /etc/ssl/certs
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN
= AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA
Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA
Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN =
mail.seiner.com
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=mail.seiner.com
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA
Limited/CN=COMODO RSA Domain Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA
Limited/CN=COMODO RSA Domain Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA
Limited/CN=COMODO RSA Certification Authority
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA
Limited/CN=COMODO RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
External CA Root
3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
External CA Root
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=mail.seiner.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA
Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 6936 bytes and written 698 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : DHE-RSA-AES256-SHA256
Session-ID:
30ADE9920D1BD0EC207BC77EBDA03D44AC6EA22658A1FEF788061C5B3C14FB73
Session-ID-ctx:
Master-Key:
F9AFA07FD0D81D0ED1F3265F126844345251BBB221AF0BE22204B7469AF5B4783129255AB04525743906A598E3582C0E
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1443959631
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
250 HELP
