|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Andreas Meyer (anmeyer
anup.de)
Date: Sat Mar 01 2003 - 13:14:04 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Am Sat, 1 Mar 2003 15:33:27 +0100 schrieb Lutz Jaenicke:
> > Feb 28 10:24:12 mojojojo postfix/smtp[25272]: verify error:num=20:unable
> > to get local issuer certificate
> > Feb 28 10:24:12 mojojojo postfix/smtp[25272]: verify
> > error:num=27:certificate not trusted
> > Feb 28 10:24:12 mojojojo postfix/smtp[25272]: verify error:num=21:unable
> > to verify the first certificate
>
> Your peer sent a server certificate that was signed by some intermediate
> or root CA. The chain sent was incomplete, at least one certificate is
> missing. As you do not have a local copy of the (intermediate or root)
> CA certificate, you cannot subsitute the missing certificate.
> unable to get local issuer certificate
> should better read
> unable to get issuer certificate locally :-)
>
> The other errors are the consequence of the first one.
>
> ...
> > smtp_tls_CApath = /etc/ssl/certs
> ...
> The missing certificate should be available in this directory to succeed.
> Make sure to create the hash link files in the directory and to understand
> the implications of chroot operations.
I just made some tests because I have the same problem with "unable to get
local issuer certificate".
I created a new CA using the CA.pl in /usr/share/ssl/misc. Made a
-newreq and signed it. Everthing without a problem.
Then I did:
# openssl verify -verbose -purpose sslserver ./cacert.pem
./cacert.pem: /C=DE/ST=RPL/L=Landau/O=unlimited/OU=MeyerCraft/CN=Andres Meyer/Email=andreasmeyer.home
error 18 at 0 depth lookup:self signed certificate
OK
and then I do a:
openssl verify -verbose -purpose sslserver ../newcert.pem
../newcert.pem: /C=DE/ST=RPL/L=Landau/O=private/OU=home/CN=Andreas/Email=andreasgamma
error 20 at 0 depth lookup:unable to get local issuer certificate
And now this seems strange to me. What is happening? Why can't openssl
find the local issuer certificate?
delta:/usr/share/ssl/misc/demoCA # echo $PATH
/sbin:/usr/sbin:/usr/local/sbin:/root/bin:/usr/local/bin:/usr/bin:/usr/share/ssl/misc/demoCA
delta:/usr/share/ssl/misc/demoCA # whereis openssl
openssl: /usr/bin/openssl /usr/include/openssl /usr/share/man/man1/openssl.1.gz
Even with full path in the verify-command the local issuer is not
found. I'm completly clueless.
--
Andreas Meyer
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]