Problems installing ssl certificate for cyrus imap

Nicole Skyrca nskyrca at syr.edu
Mon Sep 26 16:44:21 EDT 2005


Hi Cristian,

>  usually if the server has SSL/TLS capability it advertises that in 
>the response to the 'capability' IMAP command:
We have telnet disabled so I can't try this.

>  
 >  try to remove the password from the certificate key file, 
>just as easy as :
 >openssl rsa -in imap-server.key -out imap-server.noPass.key
 >If it asks for a password, then just press enter.

I tried this, and pointed my configuration file to use the new key file
without the password.  This got me a little further.  I am still seeing
some errors like "unable to verify first certificate".  

The certificate that we purchased has an intermediate certificate. 
Have you ever dealt with an intermediate certificate before?  I tried to
replace the  tls_ca_file value with a file containing that intermediate
certificate that I recived with the signed certificate, and I didn't see
the error anymore.  I don't know if that is going to cause any problems
though.

This is the error I get when I try tls_ca_file points to the ca_bundle
file that comes with openssl.

[root at mailtest certs]# openssl s_client -connect imap1:993
CONNECTED(00000003)
depth=0 /C=US/2.5.4.17=13244/ST=NY/L=Syracuse/2.5.4.9=250 A Machinery
Hall/O=Syracuse University/OU=CMS/OU=InstantSSL/CN=imap1
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/2.5.4.17=13244/ST=NY/L=Syracuse/2.5.4.9=250 A Machinery
Hall/O=Syracuse University/OU=CMS/OU=InstantSSL/CN=imap1
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/2.5.4.17=13244/ST=NY/L=Syracuse/2.5.4.9=250 A Machinery
Hall/O=Syracuse University/OU=CMS/OU=InstantSSL/CN=imap1
verify error:num=21:unable to verify the first certificate
verify return:1

This is what I get when I replace tls_ca_file with the intermediate
certficiate:
[root at mailtest certs]# openssl s_client -connect imap:993
CONNECTED(00000003)
depth=2 /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions,
Inc./CN=GTE CyberTrust Global Root
verify error:num=19:self signed certificate in certificate chain
verify return:0
---

Thank you so much for your suggestions.

Nicole



More information about the Info-cyrus mailing list