Using a signed *.domain.com with ssl - Getting "unable to get local issuer certificate" - stunnel-users

24 May 2006

      Hello all,
I have had a good hunt around and am having trouble finding a solution.
I am using stunnel to provide encrypted pop3 access to our mail server,
and we have recently purchased a signed *.XXX.com certificate from
godaddy.
This has been great since I can use the same cert on all our servers,
and this has worked cleanly with the webservices.
However, I am having some issues with the stunnel and pop3 service. I am
not entirely certain whether it is caused by the *.XXX.com certificate
(although I think it unlikely) but was hoping someone more knowledgeable
could enlighten me?
I currently have stunnel configured thusly:
stunnel -f \
    -A /etc/stunnel/certs/sf_issuing.pem \
    -p /etc/stunnel/certs/wildcard.XXX.com.stunnel.pem \
    -r 127.0.0.1:110
Unfortunately my users are getting warnings, and using the openssl
client I get:
$ openssl s_client  -connect mail.XXX.com:995
CONNECTED(00000003)
depth=1 /C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://www.starfieldtech.com/repository/CN=Starfield Secure Certification Authority/emailAddress=practices@starfieldtech.com
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/O=*.XXX.com/OU=Domain Control Validated/CN=*.XXX.com
   i:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://www.starfieldtech.com/repository/CN=Starfield Secure Certification Authority/emailAddress=practices@starfieldtech.com
 1 s:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://www.starfieldtech.com/repository/CN=Starfield Secure Certification Authority/emailAddress=practices@starfieldtech.com
   i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com
---
Server certificate
-----BEGIN CERTIFICATE-----
[snip]
-----END CERTIFICATE-----
subject=/O=*.XXX.com/OU=Domain Control Validated/CN=*.XXX.com
issuer=/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://www.starfieldtech.com/repository/CN=Starfield Secure Certification Authority/emailAddress=practices@starfieldtech.com
---
No client certificate CA names sent
---
SSL handshake has read 2381 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 4E550C07BDA9661C4B532A28110E5616549CB9FA72D37E5C979E3C6579F8FB99
    Session-ID-ctx:
    Master-Key: 2E588101AA098463FA40C0353009F5842FA19B1C3D48D9A0000EB2E241EFB70BB10D52FE9BC444344D49653B9FEB25F4
    Key-Arg   : None
    Start Time: 1148463445
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
I am positive this must have been covered before somewhere, but I haven't been able to find anything conclusive.
Apologies if I'm covering well trodden ground :)
TIA,
-- 
Pritesh Mehta pmehta@gnr.com
Global Name Registry

_____________________________________________________

Information contained herein is Global Name Registry Proprietary
Information and/or Registry Sensitive Information and is made available
to you because of your interest in or affiliation with our company. This
information is submitted in confidence and its disclosure to you is not
intended to constitute public disclosure or authorization for disclosure
to other parties. Should you have received this email and are not an
intended recipient, please delete this email in its entirety. Global
Name Registry is registered with the Office of the UK Information
Commissioner.