That has not been my experience... CONNECTED(00000003) depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=US/ST=Pennsylvania/L=Allentown/O=K12Systems Inc/OU=Network Technologies Group/CN=*.k12system.com i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3 i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA 2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA i:/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority
Server certificate subject=/C=US/ST=Pennsylvania/L=Allentown/O=K12Systems Inc/OU=Network Technologies Group/CN=*.k12system.com issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3 No special config required. What does the SSL Labs test say? https://www.ssllabs.com/ssltest/ Joe > -----Original Message----- > From: James Bensley [mailto:[email protected]] > Sent: Friday, January 04, 2013 5:44 AM > To: [email protected] > Subject: [Pound Mailing List] SSL Certificate Issue > > Howdy All, > > I am having an issue with Pound and SSL which I can't seem to overcome. > The SSL sites I have behind pound work fine in all my browsers > (IE/FF/GC etc) but some mobile devices for example throw up a > certificate error. I am getting the following error when trying to > debug; > > openssl s_client -showcerts -connect mysite.com:443 -debug > > Verify return code: 21 (unable to verify the first certificate) > > > My understanding is that this is because Pound is not offering up the > entire certificate chain during the SSL handshake, however in my > pound.cfg I have; > > Cert "/etc/ssl/certs/mysite.com.pem" > > This .pem file contains (in the following order); > > -site private key > -public cert > -issuers cert > -root ca cert > > So is pound not offering these all out upon initiation of an SSL > connection even though I have put them in there, and I somehow need to > tell it to do so; O is this something I need to configure else where in > the config file? > > Many thanks, > James. > > -- > To unsubscribe send an email with subject unsubscribe to > [email protected]. > Please contact [email protected] for questions. -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
