[stunnel-users] Using a signed *.domain.com with ssl - Getting "unable to get local issuer certificate"
Pritesh Mehta
pmehta at gnr.com
Wed May 24 11:46:25 CEST 2006
Hello all,
I have had a good hunt around and am having trouble finding a solution.
I am using stunnel to provide encrypted pop3 access to our mail server,
and we have recently purchased a signed *.XXX.com certificate from
godaddy.
This has been great since I can use the same cert on all our servers,
and this has worked cleanly with the webservices.
However, I am having some issues with the stunnel and pop3 service. I am
not entirely certain whether it is caused by the *.XXX.com certificate
(although I think it unlikely) but was hoping someone more knowledgeable
could enlighten me?
I currently have stunnel configured thusly:
stunnel -f \
-A /etc/stunnel/certs/sf_issuing.pem \
-p /etc/stunnel/certs/wildcard.XXX.com.stunnel.pem \
-r 127.0.0.1:110
Unfortunately my users are getting warnings, and using the openssl
client I get:
$ openssl s_client -connect mail.XXX.com:995
CONNECTED(00000003)
depth=1 /C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://www.starfieldtech.com/repository/CN=Starfield Secure Certification Authority/emailAddress=practices at starfieldtech.com
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/O=*.XXX.com/OU=Domain Control Validated/CN=*.XXX.com
i:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://www.starfieldtech.com/repository/CN=Starfield Secure Certification Authority/emailAddress=practices at starfieldtech.com
1 s:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://www.starfieldtech.com/repository/CN=Starfield Secure Certification Authority/emailAddress=practices at starfieldtech.com
i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//[email protected]
---
Server certificate
-----BEGIN CERTIFICATE-----
[snip]
-----END CERTIFICATE-----
subject=/O=*.XXX.com/OU=Domain Control Validated/CN=*.XXX.com
issuer=/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://www.starfieldtech.com/repository/CN=Starfield Secure Certification Authority/emailAddress=practices at starfieldtech.com
---
No client certificate CA names sent
---
SSL handshake has read 2381 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 4E550C07BDA9661C4B532A28110E5616549CB9FA72D37E5C979E3C6579F8FB99
Session-ID-ctx:
Master-Key: 2E588101AA098463FA40C0353009F5842FA19B1C3D48D9A0000EB2E241EFB70BB10D52FE9BC444344D49653B9FEB25F4
Key-Arg : None
Start Time: 1148463445
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
I am positive this must have been covered before somewhere, but I haven't been able to find anything conclusive.
Apologies if I'm covering well trodden ground :)
TIA,
--
Pritesh Mehta <pmehta at gnr.com>
Global Name Registry
_____________________________________________________
Information contained herein is Global Name Registry Proprietary
Information and/or Registry Sensitive Information and is made available
to you because of your interest in or affiliation with our company. This
information is submitted in confidence and its disclosure to you is not
intended to constitute public disclosure or authorization for disclosure
to other parties. Should you have received this email and are not an
intended recipient, please delete this email in its entirety. Global
Name Registry is registered with the Office of the UK Information
Commissioner.
More information about the stunnel-users
mailing list