Mailing List Archive

Hello Sally,

Monday, May 4, 2015, 9:14:00 AM, you wrote:

SL> Have you checked the format of the .pem, key and cert against the self
SL> signed one?

Go-Daddy-
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
9c:3f:4d:0e:50:68:f7:bd
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2
Validity
Not Before: May 3 11:19:38 2015 GMT
Not After : May 3 11:19:38 2016 GMT
Subject: OU=Domain Control Validated, CN=nitrogen2.huntingdon.holtain.net

Self-signed-
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
a4:a5:bf:bf:c3:89:54:69
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=GB, ST=Pembrokeshire, L=Crymych, O=Holtain Ltd, CN=nitrogen.huntingdon.holtain.net/emailAddress=niamh@holtain.net
Validity
Not Before: Jan 3 01:49:31 2013 GMT
Not After : Jan 1 01:49:31 2023 GMT
Subject: C=GB, ST=Pembrokeshire, L=Crymych, O=Holtain Ltd, CN=nitrogen.huntingdon.holtain.net/emailAddress=niamh@holtain.net

--
Best regards,
Niamh mailto:niamh@fullbore.co.uk

Hello Sally,

Monday, May 4, 2015, 9:14:00 AM, you wrote:

SL> I have had to change the cert chain order in a GoDaddy cert
SL> before.

Did you have to add the intermeiate certificate as wrll as the GoDaddy
issued one?

--
Best regards,
Niamh mailto:niamh@fullbore.co.uk

Hi Niamh,


Am 04.05.2015 um 09:22 schrieb Niamh Holding <niamh@fullbore.co.uk>:

>
> Hello,
>
> sslserver says it can't load a GoDaddy certificate-
>
> @4000000055471ab92741eb4c /var/qmail/control/nitrogen2.pem
> @4000000055471ab92742607c command-line: exec sslserver -e -vR -l nitrogen.huntingdon.holtain.net -c 30 -u 1002 -g 1000 217.146.107.41 465 qmail-smtpd nitrogen.huntingdon.holtain.net /bin/checkpassword /bin/true 2>&1
> @4000000055471ab92763cb2c sslserver: fatal: unable to load certificate
>
> nitrogen2.pem cantaind both the key and certifiace.
>
> Any ideas why self signed certifiates load fine and the GoDaddy one fails?

You did not provide to much information about your problem; thus it is difficult to do any diagnosis.

In case sslserver returns with this error message, the reason is the following:


if (SSL_CTX_use_certificate_chain_file(ctx,certfile) != 1)
return -1;

Thus, it inspects the certfile with this SSL_CTX method.

I would test the certificate with the usual OpenSSL routines (http://www.fehcom.de/qmail/smtptls.html##X509):

openssl x509 -in nitrogen2.pem -text -noout

Try separating cert and keyfile. Protect keyfile with your password or perhaps remove it.

Best regards.
—eh.



> --
> Best regards,
> Niamh mailto:niamh@fullbore.co.uk

---
Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de | PGP Key-Id: 7E4034BE

Hello Erwin,

Monday, May 4, 2015, 9:58:28 AM, you wrote:

EH> openssl x509 -in nitrogen2.pem -text -noout

openssl x509 -in ../control/nitrogen2.pem -text -noout
unable to load certificate
7269:error:0906D066:PEM routines:PEM_read_bio:bad end line:pem_lib.c:746:

So it seems that openssl doesn't like the concatinated key and certificate
when it's a GoDaddy certificate but is happy when it's self-signed

EH> Try separating cert and keyfile.

That changes the error to-

sslserver: fatal: unable to load key

--
Best regards,
Niamh mailto:niamh@fullbore.co.uk

Hello Erwin,

Monday, May 4, 2015, 9:58:28 AM, you wrote:

EH> Try separating cert and keyfile

OK... by specifically exporting SSLKEY as well as SSLCERT sslserver now
starts.

However when trying to send mail the client ("The Bat" reports-

"The server didn't provide a root certificate during the session and there
is no corresponding root certificate in your address book"

Do I need to do something with the intermediate certificate from GoDaddy?

--
Best regards,
Niamh mailto:niamh@fullbore.co.uk

Hello Niamh,

Monday, May 4, 2015, 2:06:18 PM, I wrote:

NH> Do I need to do something with the intermediate certificate from GoDaddy?

Well copying them to /usr/local/ssl/certs/ wasn't the solution...

--
Best regards,
Niamh mailto:niamh@fullbore.co.uk

Hi,


Am 04.05.2015 um 15:06 schrieb Niamh Holding <niamh@fullbore.co.uk>:

>
> Hello Erwin,
>
> Monday, May 4, 2015, 9:58:28 AM, you wrote:
>
> EH> Try separating cert and keyfile
>
> OK... by specifically exporting SSLKEY as well as SSLCERT sslserver now
> starts.
>
> However when trying to send mail the client ("The Bat" reports-
>
> "The server didn't provide a root certificate during the session and there
> is no corresponding root certificate in your address book"
>
> Do I need to do something with the intermediate certificate from GoDaddy?

Thus, ‚The Bat‘ does not posses a root cert from GoDaddy.

You can do the following:

1. Download the root cert from GoDaddy (there are certainly some of them) and install those in the ‚trust store‘ of your client.

2. Alternatively, you can concatinate your cert with the GoDaddy root cert and let sslserver present both to the client; however this probably will not solve the issue.

Best regards.
—eh.


>
> --
> Best regards,
> Niamh mailto:niamh@fullbore.co.uk

---
Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de | PGP Key-Id: 7E4034BE

Hello Niamh,

Monday, May 4, 2015, 2:06:18 PM, I wrote:

NH> Do I need to do something with the intermediate certificate from GoDaddy?

Aha... appending the intermediate certificates to the server sertifiacte
seems to solve the problem, not sure it's the approved answer.

Now to see if that way works for dovecot.

--
Best regards,
Niamh mailto:niamh@fullbore.co.uk

Hello Erwin,

Monday, May 4, 2015, 4:57:19 PM, you wrote:

EH> Download the root cert from GoDaddy (there are certainly some of
EH> them) and install those in the ‚trust store‘ of your client.

Installing certificate on an Android client is the problem as Ahdroid then
insists on a PIN or password screen lock; this causes a significant probem
for a registered blind user as then her specialist software can't be
accessed until the screen is unlocked.

However see my other reply.

--
Best regards,
Niamh mailto:niamh@fullbore.co.uk