On Friday 27 of May 2011, W B Hacker wrote: > Arkadiusz Miskiewicz wrote: > > On Monday 23 of May 2011, Heiko Schlittermann wrote: > >> Arkadiusz Miskiewicz<[email protected]> (Mon May 23 10:52:11 2011): > >>> I've replaced rapidssl cert recently with new one. rapidssl started to > >>> use intermediate certificate. Unfortunately I'm getting in smtp server > >>> logs (exim 4.76): > >>> > >>> (SSL_accept): error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert > >>> bad certificate > >>> 2011-05-23 10:42:57 TLS client disconnected cleanly (rejected our > >>> certificate?) > >>> > >>> tls_certificate points to a file which contains 3 certificates: > >>> > >>> - cert for my domain issued by: Issuer: C=US, O=GeoTrust, Inc., > >>> CN=RapidSSL CA > >>> > >>> - intermediate cert: > >>> Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA > >>> Subject: C=US, O=GeoTrust, Inc., CN=RapidSSL CA > >>> > >>> - third cert: > >>> Issuer: C=US, O=Equifax, OU=Equifax Secure Certificate > >>> Authority Subject: C=US, O=GeoTrust Inc., CN=GeoTrust Global > >>> CA > >>> > >>> in exactly that order. > >>> > >>> tls_privatekey points to a file with private key. > >>> > >>> The question is why "alert bad certificate" comes up if everything > >>> looks fine, all intermediate certs are provided etc? > >> > >> May be you can tell us how to connect the server you're talking about, > >> some of the problems can be detected from outside. > > > > It's smtp-arm.beep.pl > > Arkadiusz, > > Just sent this post back with an extra line or so. > > Worked OK to *port 25* from Hong Kong, Exim 4.73 on OpenBSD 4.9 with log > entry of: > > 2011-05-27 08:38:19 [16457] 1QPsYZ-0007YO-O5 => [email protected] > F=<[email protected]> P=<[email protected]> R=dnslookup T=remote_smtp > S=2172 H=mx01.agnat.pl [193.239.44.65]:25 X=TLSv1:DHE-RSA-AES256-SHA:256 > CV=no DN="/C=PL/O=*.agnat.eu/OU=GT03137972/OU=See > www.rapidssl.com/resources/cps (c)07/OU=Domain Control Validated - > RapidSSL(R)/CN=*.agnat.eu" C="250 OK id=1QPsYi-00087O-4A" QT=12s DT=10s
This cert expired long time ago and it wasn't using any intermediate cert. The smtp-arm.beep.pl has new cert which unfortunately uses intermediate one. > HTH, > > Bill Hacker -- Arkadiusz MiĆkiewicz PLD/Linux Team arekm / maven.pl http://ftp.pld-linux.org/ -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
