Free StartSSL certificate not trusted

2014-04-16 Thread ankbhdk 
Cipher: DHE-RSA-AES256-GCM-SHA384
Session-ID:
7D102ECF936A97479CF6ABE7DDB3964D1E6B458FB8DB47A93655EC8408FC414F
Session-ID-ctx:
Master-Key:
6E1F45249FBC11CFF13EE78C0C973787C6B074618C90B922695FEB9B5402A2925895B456A5E646394D2AA802BEA65564
Key-Arg   : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
 - 5a b3 83 d5 cb 27 f9 ae-ad 7a 4e 48 14 b1 ff 6b
Z'...zNH...k
0010 - 6e 3d 77 2d 27 6d 32 95-ec 1f 56 dd 6b dc e1 86
n=w-'m2...V.k...
0020 - 66 f2 28 cd 3a fc e4 91-10 60 f5 60 27 70 12 67
f.(.:`.`'p.g
0030 - 49 97 89 99 88 24 60 d1-1f 62 02 ac 84 b7 a8 4f
I$`..b.O
0040 - 10 7e 18 b2 31 e0 1b 63-4d c1 94 6c 2e d1 d6 39
.~..1..cM..l...9
0050 - 2f ff 31 16 c2 13 05 9b-06 ef 8a a5 10 a8 64 86
/.1...d.
0060 - 85 7b 1c fa 7d e1 e7 21-ef 87 e5 c3 13 4a 6a 1b
.{..}..!.Jj.
0070 - 93 80 e2 bb 81 9a 30 44-57 9b 42 32 2a ec af e5
..0DW.B2*...
0080 - 86 7c 26 b9 e3 75 08 9d-c2 c7 6b 49 db 6e ae 04
.|..ukI.n..
0090 - a4 25 a2 d5 b7 fa f7 b4-e1 61 11 d8 d1 17 02 1c
.%...a..

Start Time: 1397604695
Timeout   : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
+OK Dovecot DA ready.




--
View this message in context: 
http://openssl.6102.n7.nabble.com/Free-StartSSL-certificate-not-trusted-tp49500.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.

Free StartSSL certificate not trusted

2014-04-16 Thread Allan Nielsen 
Hi all,

I have installed an ubuntu server with dovecot and a free certificate from
startssl, but I get:
verify error:num=20:unable to get local issuer certificate
and
verify error:num=21:unable to verify the first certificate

Any idea why?
Tanks in advance, Allan

My dovecot conf:
---
auth_username_chars = xxx_@
default_login_user = dovecot
listen = *
login_greeting = Dovecot DA ready.
mail_access_groups = mail
mail_location = maildir:~/Maildir
passdb {
driver = shadow
}
passdb {
args = username_format=%n /etc/virtual/%d/passwd
driver = passwd-file
}
protocols = pop3
service auth {
user = root
}
service imap-login {
process_min_avail = 16
user = dovecot
}
service pop3-login {
inet_listener pop3s {
address = *
port = 995
}
process_min_avail = 16
user = dovecot
}
#verbose_ssl = yes
ssl_ca = /etc/dovecot/startcom_ca.pem
ssl_cert = /etc/ssl/certs/ssl.crt
ssl_key = /etc/dovecot/pop3d.pem
#ssl_verify_client_cert = yes
userdb {
driver = passwd
}
userdb {
args = username_format=%n /etc/virtual/%d/passwd
driver = passwd-file
}
verbose_proctitle = yes
protocol pop3 {
pop3_logout_format = top=%t/%p, retr=%r/%b, del=%d/%m, size=%s, bytes=%i/%o
pop3_uidl_format = %08Xu%08Xv
}
---

Complete test:
an@an-laptop:~$ openssl s_client -connect mail.minlilleverden.dk:995
CONNECTED(0003)
depth=0 description = 35l5njOWJKek82Eu, C = DK, CN = mail.minlilleverden.dk,
emailAddress = postmas...@minlilleverden.dk
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 description = 35l5njOWJKek82Eu, C = DK, CN = mail.minlilleverden.dk,
emailAddress = postmas...@minlilleverden.dk
verify error:num=27:certificate not trusted
verify return:1
depth=0 description = 35l5njOWJKek82Eu, C = DK, CN = mail.minlilleverden.dk,
emailAddress = postmas...@minlilleverden.dk
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/description=35l5njOWJKek82Eu/C=DK/CN=
mail.minlilleverden.dk/emailAddress=postmas...@minlilleverden.dk
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Class 1 Primary Intermediate Server CA
---
Server certificate
-BEGIN CERTIFICATE-
MIIGcDCCBVigAwIBAgIDD92mMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3Mg
MSBQcmltYXJ5IEludGVybWVkaWF0ZSBTZXJ2ZXIgQ0EwHhcNMTQwNDE1MTIzMzEz
WhcNMTUwNDE2MDA1NjMzWjB2MRkwFwYDVQQNExAzNWw1bmpPV0pLZWs4MkV1MQsw
CQYDVQQGEwJESzEfMB0GA1UEAxMWbWFpbC5taW5saWxsZXZlcmRlbi5kazErMCkG
CSqGSIb3DQEJARYccG9zdG1hc3RlckBtaW5saWxsZXZlcmRlbi5kazCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKczgWa90C7guVSaMcc3CuluzHHZFXN0
jtNkGguy8uzhKo4d57Igeyd17/0xV1Ye12Hqh0PR8RHLaGdlT9iOyccpFqZRIfnN
Gw0Gaf1bO0sJJ+ij3VzwwB9S16Rg1rbG4RgaKQaz5Ktr7vEVsbLp0VnPUUKKLMdt
i7jIH8rD8l+6MXQmLrLSFR9OBQmMtpLR5PdnSz416CQtadWAvwG6Nfv7eqh27LAq
aH+fBLxbgCpix9860jmksxKybu0JMjSzg1VU5QYZL3PQxXN9bhNDOc4Sm+jlgw7r
yTTOkitYQQ+OwH0dYg8l7aVkEwlIaaIlt08DPfIPR+OCexd2EZVEa00CAwEAAaOC
Au4wggLqMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMBMGA1UdJQQMMAoGCCsGAQUF
BwMBMB0GA1UdDgQWBBTji5K9jpxFs2erCE0OINCqxiFjzzAfBgNVHSMEGDAWgBTr
QjTQmLCrn/Qbawj3zGQu7w4sRTA0BgNVHREELTArghZtYWlsLm1pbmxpbGxldmVy
ZGVuLmRrghFtaW5saWxsZXZlcmRlbi5kazCCAVYGA1UdIASCAU0wggFJMAgGBmeB
DAECATCCATsGCysGAQQBgbU3AQIDMIIBKjAuBggrBgEFBQcCARYiaHR0cDovL3d3
dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjCB9wYIKwYBBQUHAgIwgeowJxYgU3Rh
cnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwAwIBARqBvlRoaXMgY2VydGlm
aWNhdGUgd2FzIGlzc3VlZCBhY2NvcmRpbmcgdG8gdGhlIENsYXNzIDEgVmFsaWRh
dGlvbiByZXF1aXJlbWVudHMgb2YgdGhlIFN0YXJ0Q29tIENBIHBvbGljeSwgcmVs
aWFuY2Ugb25seSBmb3IgdGhlIGludGVuZGVkIHB1cnBvc2UgaW4gY29tcGxpYW5j
ZSBvZiB0aGUgcmVseWluZyBwYXJ0eSBvYmxpZ2F0aW9ucy4wNQYDVR0fBC4wLDAq
oCigJoYkaHR0cDovL2NybC5zdGFydHNzbC5jb20vY3J0MS1jcmwuY3JsMIGOBggr
BgEFBQcBAQSBgTB/MDkGCCsGAQUFBzABhi1odHRwOi8vb2NzcC5zdGFydHNzbC5j
b20vc3ViL2NsYXNzMS9zZXJ2ZXIvY2EwQgYIKwYBBQUHMAKGNmh0dHA6Ly9haWEu
c3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFzczEuc2VydmVyLmNhLmNydDAjBgNV
HRIEHDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJKoZIhvcNAQEFBQAD
ggEBAAaM8/sYqms0PpsT5awstfxziAyd6NVjvl4ZMtPLVQXUOcBjnJrpwbcw5d5d
O4RmZTRVC+ejPDqXothoQnIgg/QuT74TJp13RDm1yFrxRh09sRfYX3AT1IBD6l6c
+29fM4xqZ68KWslMCMyGXFUaGaZPAAZ8c3YrsLkEuotGYeBpRtgKIeubmwiwPWTI
tLaZiTpstsRLkVX49Dxkwy5W2h4SCB82Vtv2KV/8rHY5JpIrQSDZzxuZrp++FRiC
c9RP7MlT9yehGLZSIPFCWEcyynEWVUQkgklP78avH8f1ZNmIAF5pe9E1WO3jJvfq
z8is8rnym/TsZ2SzyFbDqVtECTI=
-END CERTIFICATE-
subject=/description=35l5njOWJKek82Eu/C=DK/CN=
mail.minlilleverden.dk/emailAddress=postmas...@minlilleverden.dk
issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
Signing/CN=StartCom Class 1 Primary Intermediate Server CA
---
No client certificate CA names sent
---
SSL handshake has read 2497 bytes and written 507 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : TLSv1.2

RE: Free StartSSL certificate not trusted

2014-04-16 Thread Eisenacher, Patrick 


 -Original Message-
 From Allan Nielsen
 
 I have installed an ubuntu server with dovecot and a free certificate from
 startssl, but I get:
 verify error:num=20:unable to get local issuer certificate
 and
 verify error:num=21:unable to verify the first certificate
 
 Any idea why?

[snip]

 Certificate chain
  0
 s:/description=35l5njOWJKek82Eu/C=DK/CN=mail.minlilleverden.dk/emailAd
 dress=postmas...@minlilleverden.dk
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
 Signing/CN=StartCom Class 1 Primary Intermediate Server CA
 ---

Your server sends only an end entity certificate, whose issuer is not trusted 
by your client. You need to add the issuer's certificate to your client's 
truststore.

HTH,
Patrick Eisenacher
:��IϮ��r�m
(Z+�K�+1���x��h[�z�(Z+���f�y���f���h��)z{,���

Re: Free StartSSL certificate not trusted

2014-04-16 Thread Allan Nielsen 
Thanks you are right.

I got it to work now adding the ca_bundle to it.

BR.
Allan


2014-04-16 10:28 GMT+02:00 Eisenacher, Patrick patrick.eisenac...@bdr.de:



  -Original Message-
  From Allan Nielsen
 
  I have installed an ubuntu server with dovecot and a free certificate
 from
  startssl, but I get:
  verify error:num=20:unable to get local issuer certificate
  and
  verify error:num=21:unable to verify the first certificate
 
  Any idea why?

 [snip]

  Certificate chain
   0
  s:/description=35l5njOWJKek82Eu/C=DK/CN=mail.minlilleverden.dk/emailAd
  dress=postmas...@minlilleverden.dk
 i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
  Signing/CN=StartCom Class 1 Primary Intermediate Server CA
  ---

 Your server sends only an end entity certificate, whose issuer is not
 trusted by your client. You need to add the issuer's certificate to your
 client's truststore.

 HTH,
 Patrick Eisenacher