Oh, ok once I added the -CAfile change the cert verifies without issue. openssl s_client -ssl3 -CAfile ~/intca.cer -connect pop.x10.com:995 -quiet depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority verify return:1 depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA verify return:1 depth=0 /C=US/ST=Washington/L=Renton/O=X10 Wireless Technology, Inc./OU=Information Technology/OU=Terms of use at www.verisign.com/rpa (c)05/CN=pop.x10.com verify return:1 +OK Dovecot ready.
So does that mean I need to install the intermediate cert on all my clients that will be accessing this server? That's going to be a bit of a PITA... -Geoff On Wed, 2008-12-24 at 15:26 -0500, Sahil Tandon wrote: > Geoff Sweet wrote: > > > Ok so I downloaded the intermediate ca cert thing onto my local machine > > as intca.cer. Then I ran this command: > > > > :~$ openssl s_client -ssl3 -CApath ./intca.cer -connect pop.x10.com:995 > > You're pointing to a *file* so you need -CAfile; not -CApath. But even > after making that change, there appears to be a problem with your cert. > To test, I downloaded common root certificates from the curl website and > placed them in ~/CA. Then, the gmail cert verifies just fine: > > % openssl s_client -ssl3 -CAfile ~/CA/cacert.pem -connect pop.gmail.com:995 > -quiet > depth=1 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority > verify return:1 > depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com > verify return:1 > +OK Gpop ready for requests from 74.72.46.40 5pf1417126ywl.17 > > However, your server cert still fails. This may be related to the > intermediate cert you define in dovecot.conf. I also noticed the zlib > compression is turned on, whereas it is disabled on my own and many > other POP and IMAP servers I tested. > > This does not appear to be a dovecot issue; perhaps try the OpenSSL > mailing list? >