Topic: rapidssl certificate installation

[kruhm]

Hi Everyone,

Does anyone have a rapidssl certificate correctly installed?

It works fine for https (443) without issue but it complains for imaps (993). This means when I go the web mail everything's fine but when I access via mail client, it complains of a broken chain.

Can anyone provide any insight?

Thanks in advance,

[cactus]

It works fine for https (443) without issue but it complains for imaps (993). This means when I go the web mail everything's fine but when I access via mail client, it complains of a broken chain.

Can anyone provide any insight?

Not when you do not specify what error message. Please keep in mind that we can not see what you see, so you will have to provide us with information like exact error messages and methods you tried. That way instead of guessing we can try and see if you did the right thing and see the clues you are seeing.

[kruhm]

Hi Catcus,

Thanks for responding. Walked right into that one

The email clients were giving generic responses:
"Certificate is not trusted, because it hasn't been verified by a recognized authority."

This lead to openssl testing & after looking further into it, it seems the https isn't working correctly either (but the browsers aren't complaining).

Here's the test:

Code: [Select]

echo GET | openssl s_client -connect server.tld:443
Here's the response:

Code: [Select]

depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
Here's the chain:

Code: [Select]

---
Certificate chain
 0 s:/serialNumber=sFZ9unN4m/CU7LgUygwS8Hftfe1zdHM7/C=US/O=server.tld/OU=GT633231189/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - RapidSSL(R)/CN=server.tld
   i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
 1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
It seems like the GeoTrust Global CA isn't issued by one of the Equifax CA's in the openssl CA BUNDLE located at /usr/share/ssl/

Any thoughts would be greatly appreciated.

Thanks,

[cactus]

The email clients were giving generic responses:
"Certificate is not trusted, because it hasn't been verified by a recognized authority."

That seems that it might still be taking the self-signed certificate generated by SME Server on install.

Here's the test:

Code: [Select]

echo GET | openssl s_client -connect server.tld:443
Here's the response:

Code: [Select]

depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0

Is that really the full result? Even for my self-signed certificate I get a lot more output. What is the output of:

Code: [Select]

config show modSSL
I take it you already had a look at these:
http://wiki.contribs.org/Certificate
http://wiki.contribs.org/Certificates_Concepts

[Stefano]

What is the output of:

mmmhh... Cactus, did you forget something here?

[cactus]

mmmhh... Cactus, did you forget something here?

Oops, yes. Corrected.

[Stefano]

Oops, yes. Corrected.

check the syntax.. I can't see anything

[kruhm]

I have the rapidssl cert & chainfile installed. The crt is the one issued to me by rapidssl (obviously) & the chainfile is one published by rapidssl here:
https://knowledge.rapidssl.com/library/VERISIGN/ALL_OTHER/RapidSSL%20Intermediate/RapidSSL_CA_bundle.pem

Code: [Select]

[root@server ssl.crt]# config show modSSL
modSSL=service
    CertificateChainFile=/home/e-smith/MySSL/ssl.crt/RapidSSL_CA_bundle.pem
    CipherSuite=ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
    TCPPort=443
    access=public
    crt=/home/e-smith/MySSL/ssl.crt/server.tld.crt
    key=/home/e-smith/MySSL/ssl.key/server.tld.key
    status=enabled

Thanks again,

[kruhm]

Adding info to bug: http://bugs.contribs.org/show_bug.cgi?id=4450

[kruhm]

Hi Everyone,

Just as a follow up, the only way I could resolve this is to concat the server.crt, intermediate.crt & the root.crt together into a single ca_bundle.crt.

Code: [Select]

openssl x509 -inform PEM -in "server.crt" -text > ca_bundle.crt
openssl x509 -inform PEM -in "RapidSSL_CA_bundle.pem" -text >> ca_bundle.crt
openssl x509 -inform PEM -in "GeoTrust_Global_CA.cer" -text >> ca_bundle.crt

Then change the CONFIG DB to remove the CertificateChainFile & use the ca_bundle.crt & signal events to expand & restart:

Code: [Select]

config delprop modSSL CertificateChainFile
config setprop modSSL crt /home/e-smith/path/to/your/crt/ca_bundle.crt
signal-event domain-modify
signal-event email-update

Corrections, direction & advice are always welcome.

Thanks for listening,