Hi Andy,
Right now I'm trying to solve the problem of why I get see the 
"unable to get local issuer certificate" messages when running the 
openssl s_client command.  I'm not that familiar with ssl (or imap) and
don't know if this is normal or not, or if ssl is working properly.
Comodo sent an intermediate CA certificate
along with the signed ssl certificate, that I don't know what to do


>>> Andrew Morgan <[EMAIL PROTECTED]> 09/26/05 5:11 PM >>>

On Mon, 26 Sep 2005, Nicole Skyrca wrote:

> Hi Cristian,
>>  usually if the server has SSL/TLS capability it advertises that in
>> the response to the 'capability' IMAP command:
> We have telnet disabled so I can't try this.
> >  try to remove the password from the certificate key file,
>> just as easy as :
> >openssl rsa -in imap-server.key -out imap-server.noPass.key
> >If it asks for a password, then just press enter.
> I tried this, and pointed my configuration file to use the new key
> without the password.  This got me a little further.  I am still
> some errors like "unable to verify first certificate".
> The certificate that we purchased has an intermediate certificate.
> Have you ever dealt with an intermediate certificate before?  I tried
> replace the  tls_ca_file value with a file containing that
> certificate that I recived with the signed certificate, and I didn't
> the error anymore.  I don't know if that is going to cause any
> though.
> This is the error I get when I try tls_ca_file points to the
> file that comes with openssl.
> [EMAIL PROTECTED] certs]# openssl s_client -connect imap1:993
> CONNECTED(00000003)
> depth=0 /C=US/ A
> Hall/O=Syracuse University/OU=CMS/OU=InstantSSL/CN=imap1
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 /C=US/ A
> Hall/O=Syracuse University/OU=CMS/OU=InstantSSL/CN=imap1
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0 /C=US/ A
> Hall/O=Syracuse University/OU=CMS/OU=InstantSSL/CN=imap1
> verify error:num=21:unable to verify the first certificate
> verify return:1
> This is what I get when I replace tls_ca_file with the intermediate
> certficiate:
> [EMAIL PROTECTED] certs]# openssl s_client -connect imap:993
> CONNECTED(00000003)
> depth=2 /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions,
> Inc./CN=GTE CyberTrust Global Root
> verify error:num=19:self signed certificate in certificate chain
> verify return:0
> ---
> Thank you so much for your suggestions.

What is the actual problem you are trying to solve?  I have an SSL 
certificate signed by Thawte that I am using with Cyrus IMAP.  It gives
the same messages as you when I use "openssl s_client" against it, but

everything is working fine for me.

Sorry if I missed earlier parts of this thread.

Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

Reply via email to