Dan, Thanks for your help. I was able to fix the problem with your advice.
For reference, I used the order of "my cert" -> "goddady cert" -> "valicert cert" (or least -> most trusted) to create my new server.crt. I realized after the fact that my openssl s_client/s_server setup was invalid and giving me bad data. I owe you a box of cookies. Thanks again. On Mon, 2008-05-19 at 10:41 -0400, Daniel Kahn Gillmor wrote: > On Mon 2008-05-19 10:05:04 -0400, Ben Goldsbury wrote: > > > I have a valid wildcard certificate purchased from Godaddy. This > > certificate has the normal cert/key and an issuing certificate. The > > issuing certificate is actually a chain of 3 certificates. > > I haven't had a chance to test this myself, but it sounds to me like > you're having a problem with certificate chaining, not with the > wildcard itself. In particular, it sounds like your gnutls-cli > instance can't complete the trust path from the offered certificate to > one of its trusted CAs because it lacks information about the > intermediate CAs. > > > Using openssl's tools, I am able to create a valid server/client > > relationship. > > Could you post an example of openssl commands you used which > succeeded? > > I suspect what you'll need to do is to add the intermediate > certificates to server.crt (i dunno if they should go above or below > the host's certificate) before invoking gnutls-serv, so that they'll > be offered to complete the trust path. > > the --x509cafile option for gnutls-serv is there to verify client > certificates, and (afaik) isn't used to select intermediate certs to > send on during the server certificate validation phase of connection > negotiation. > > hth, > > --dkg _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
