Problems installing ssl certificate for cyrus imap

Nicole Skyrca nskyrca at syr.edu
Mon Sep 26 17:38:35 EDT 2005 

Hi Andy,
Right now I'm trying to solve the problem of why I get see the 
"unable to get local issuer certificate" messages when running the 
openssl s_client command.  I'm not that familiar with ssl (or imap) and
I
don't know if this is normal or not, or if ssl is working properly.
Comodo sent an intermediate CA certificate
along with the signed ssl certificate, that I don't know what to do
with.

Thanks,
Nicole


>>> Andrew Morgan <morgan at orst.edu> 09/26/05 5:11 PM >>>

On Mon, 26 Sep 2005, Nicole Skyrca wrote:

>
> Hi Cristian,
>
>>  usually if the server has SSL/TLS capability it advertises that in
>> the response to the 'capability' IMAP command:
> We have telnet disabled so I can't try this.
>
>>
> >  try to remove the password from the certificate key file,
>> just as easy as :
> >openssl rsa -in imap-server.key -out imap-server.noPass.key
> >If it asks for a password, then just press enter.
>
> I tried this, and pointed my configuration file to use the new key
file
> without the password.  This got me a little further.  I am still
seeing
> some errors like "unable to verify first certificate".
>
> The certificate that we purchased has an intermediate certificate.
> Have you ever dealt with an intermediate certificate before?  I tried
to
> replace the  tls_ca_file value with a file containing that
intermediate
> certificate that I recived with the signed certificate, and I didn't
see
> the error anymore.  I don't know if that is going to cause any
problems
> though.
>
> This is the error I get when I try tls_ca_file points to the
ca_bundle
> file that comes with openssl.
>
> [root at mailtest certs]# openssl s_client -connect imap1:993
> CONNECTED(00000003)
> depth=0 /C=US/2.5.4.17=13244/ST=NY/L=Syracuse/2.5.4.9=250 A
Machinery
> Hall/O=Syracuse University/OU=CMS/OU=InstantSSL/CN=imap1
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 /C=US/2.5.4.17=13244/ST=NY/L=Syracuse/2.5.4.9=250 A
Machinery
> Hall/O=Syracuse University/OU=CMS/OU=InstantSSL/CN=imap1
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0 /C=US/2.5.4.17=13244/ST=NY/L=Syracuse/2.5.4.9=250 A
Machinery
> Hall/O=Syracuse University/OU=CMS/OU=InstantSSL/CN=imap1
> verify error:num=21:unable to verify the first certificate
> verify return:1
>
> This is what I get when I replace tls_ca_file with the intermediate
> certficiate:
> [root at mailtest certs]# openssl s_client -connect imap:993
> CONNECTED(00000003)
> depth=2 /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions,
> Inc./CN=GTE CyberTrust Global Root
> verify error:num=19:self signed certificate in certificate chain
> verify return:0
> ---
>
> Thank you so much for your suggestions.

What is the actual problem you are trying to solve?  I have an SSL 
certificate signed by Thawte that I am using with Cyrus IMAP.  It gives
me 
the same messages as you when I use "openssl s_client" against it, but

everything is working fine for me.

Sorry if I missed earlier parts of this thread.

 	Andy

More information about the Info-cyrus mailing list