[courier-users] Certificate authority invalid
Courier 0.66.1 x86_64 and I just got a new RapidSSL certificate and restarted the esmtpd-ssl and imapd-ssl daemons and now I can't connect via SSL, with a client side error of... Trusted: NO, there were errors. The certificate authority's certificate is invalid and not trusted for this purpose... the certificate cannot be verified for internal reasons. Some googling indicated that the email address in the cert must be available for local authentication so I added it. The pems are not world readable and comprise a concatenated *.key and *.crt provided by the cert authority. RapidSSL chained from GeoTrust (I guess). Do I have to provide the CA file to courier? If so, how or where in the file system? -- All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Certificate authority invalid
Mark Constable writes: Courier 0.66.1 x86_64 and I just got a new RapidSSL certificate and restarted the esmtpd-ssl and imapd-ssl daemons and now I can't connect via SSL, with a client side error of... Trusted: NO, there were errors. The certificate authority's certificate is invalid and not trusted for this purpose... the certificate cannot be verified for internal reasons. Some googling indicated that the email address in the cert must be available for local authentication so I added it. The pems are not world readable and comprise a concatenated *.key and *.crt provided by the cert authority. RapidSSL chained from GeoTrust (I guess). Do I have to provide the CA file to courier? Yes, if you're using a certificate signed by a CA that your client does not have in its built-in list of trusted CAs, and your CA's certificate includes a signature from a trusted CA, then you need to combine your CA's cert with your own cert. For Courier, convert your intermediate CA cert to a PEM format, if it's not already provided in PEM format, and concatenate it with your own cert file. I never remember if the intermediate cert must be before or after your cert in the certificate file. I believe after, so just append your CA cert file in PEM format to your own cert. pgpGPc1HTjc7P.pgp Description: PGP signature -- All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] Certificate authority invalid
On 2011-06-27 06:58 AM, Sam Varshavchik wrote: Trusted: NO, there were errors. The certificate authority's certificate is invalid and not trusted for this purpose... the certificate cannot be verified for internal reasons. ... Do I have to provide the CA file to courier? Yes, if you're using a certificate signed by a CA that your client does not have in its built-in list of trusted CAs, and your CA's certificate includes a signature from a trusted CA, then you need to combine your CA's cert with your own cert. For Courier, convert your intermediate CA cert to a PEM format, if it's not already provided in PEM format, and concatenate it with your own cert file. I never remember if the intermediate cert must be before or after your cert in the certificate file. I believe after, so just append your CA cert file in PEM format to your own cert. Thanks Sam, simply appending the CA PEM, provided by the upstream authority, to esmtpd.pem, imapd.pem and pop3d.pem definitely works. -- All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
