SSL help #2 - unable to verify the first certificate

Use this forum if you want to discuss a problem or ask a question related to a hMailServer beta release.
Post Reply
User avatar
Minimalist
Normal user
Normal user
Posts: 45
Joined: 2006-05-24 16:31
Location: The InterWeb
Contact:

SSL help #2 - unable to verify the first certificate

Post by Minimalist » 2008-10-17 21:17

Anyone know how to resolve this? I was getting "invalid certificate" notices on an iPhone, and connecting to the server with SSL I get the following messages (this is a godaddy turbo ssl certificate):


openssl s_client -connect mail.minimalist.com:995
CONNECTED(00000003)
depth=0 /O=mail.minimalist.com/CN=mail.minimalist.com/OU=Domain Control Validated
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /O=mail.minimalist.com/CN=mail.minimalist.com/OU=Domain Control Validated
verify error:num=27:certificate not trusted
verify return:1
depth=0 /O=mail.minimalist.com/CN=mail.minimalist.com/OU=Domain Control Validated
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/O=mail.minimalist.com/CN=mail.minimalist.com/OU=Domain Control Validated
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
---
Server certificate



then the cert...

-----END CERTIFICATE-----

subject=/O=mail.minimalist.com/CN=mail.minimalist.com/OU=Domain Control Validated
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
---
No client certificate CA names sent
---
SSL handshake has read 1817 bytes and written 700 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 4096 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: FF4E3DC6C504A570A591B06BB25C38FD7D55BBD8BE5F3ED91B2F3C240FA92E18
Session-ID-ctx:
Master-Key: ABC68A2AB409BC2E08F876DA768A2F6DE36AFE43A9A0B97734AC979E296B36EB351D9F4895F33B9FC888AB18AEC4404B
Key-Arg : None
Start Time: 1224270554
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
+OK






Any idea how to rectify? Do I need to add the whole chain of public certs to the public cert file?
Kurt Koller
Minimalist
http://minimalist.com

MP3Freak
Normal user
Normal user
Posts: 221
Joined: 2007-06-13 22:19

Re: SSL help #2 - unable to verify the first certificate

Post by MP3Freak » 2009-01-28 18:22

Here's an easy way to generate all the SSL-stuff needed for hMailServer:

http://www.hmailserver.com/forum/viewto ... 12&t=13953

User avatar
Minimalist
Normal user
Normal user
Posts: 45
Joined: 2006-05-24 16:31
Location: The InterWeb
Contact:

Re: SSL help #2 - unable to verify the first certificate

Post by Minimalist » 2009-01-28 18:29

That's a really useful document for self-signed certs. Thanks for posting.

In my case, I was using a purchased SSL cert. As it turns out the only application that complained about it was the iPhone, and luckily it only asks once time if you're ok with it and remembers it for all eternity.
Kurt Koller
Minimalist
http://minimalist.com

plobby
Normal user
Normal user
Posts: 115
Joined: 2008-01-29 07:04

Re: SSL help #2 - unable to verify the first certificate

Post by plobby » 2009-01-29 20:23

Minimalist wrote:That's a really useful document for self-signed certs. Thanks for posting.

In my case, I was using a purchased SSL cert. As it turns out the only application that complained about it was the iPhone, and luckily it only asks once time if you're ok with it and remembers it for all eternity.

Do you know of any good documentation on implementing a purchased cert?

User avatar
DFitch
Senior user
Senior user
Posts: 258
Joined: 2006-09-16 20:40

Re: SSL help #2 - unable to verify the first certificate

Post by DFitch » 2009-01-30 09:41

Do you know of any good documentation on implementing a purchased cert?
What format is it? .pfx?

You will need openssl installed, then:

If you want to extract private key from a pfx file and write it to PEM file
openssl.exe pkcs12 -in file_name.pfx -nocerts -out privateKey.pem

If you want to extract the certificate file (the signed public key) from the pfx file
openssl.exe pkcs12 -in file_name.pfx -clcerts -nokeys -out publicCert.pem

To remove the password from the private key file.
openssl.exe rsa -in privateKey.pem -out private.pem
hMailServer 5.3.3: External MySql
Win2k3 Server | eWall 4.0 Anti-Spam Anti-Virus SMTP Proxy {http://sssolutions.net/}
SpamAssassin 3.31 - ClamAV on backend Ubuntu Server 10.04(VMware)

Post Reply