Robin Peng <[email protected]> (Fr 13 Jul 2012 08:36:55 CEST): > Hi all > > I bought a SSL certificate (comodo),and config SSL as below: > ------------------------------------------------------------------ > tls_advertise_hosts = * > tls_require_ciphers = SSLv3:TLS > tls_verify_certificates = /etc/ssl/comodo/CA.crt > tls_certificate = /etc/ssl/comodo/server.crt > tls_privatekey = /etc/ssl/comodo/server.key > #tls_certificate = /etc/ssl/server.crt > #tls_privatekey = /etc/ssl/server.key > ------------------------------------------------------- > test SSL > $ openssl s_client -connect mail.saybot.com:smtps > > CONNECTED(00000003) > depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=mail.saybot.com > verify error:num=20:unable to get local issuer certificate > verify return:1 > depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=mail.saybot.com > verify error:num=27:certificate not trusted > verify return:1 > depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=mail.saybot.com > verify error:num=21:unable to verify the first certificate > verify return:1 > exim vesion:4.76 > > Anyone made such successful configure?
Your client (openssl) needs the CA, otherwise the client can't verify the CRT of your server (exim). Check the s_client(1SSL) man page, look for -CAfile or -CApath. If this still does not work, you should check if you need a chain certificate. Some CAs issue certificates signed with a "sub" CA of the official known CA. The server should provide the "sub" CA (chain certificate) as well as the server certificate to the client. (If I remember well, it should suffice to just put both certs into the server.crt file, but I'm not sure if the order matters.) -- Heiko :: dresden : linux : SCHLITTERMANN.de GPG Key 48D0359B : 3061 CFBF 2D88 F034 E8D2 7E92 EE4E AC98 48D0 359B
signature.asc
Description: Digital signature
-- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
