On Tue, 2009-04-14 at 17:43 +1000, Simon Horman
wrote:
On Wed, Apr 08, 2009 at 09:40:37AM -0500, Michael
Fernández M wrote:
Hi.
I'am trying to install a Comodo Cert to perdition and replace the
self-signed certs.....
From Comodo i have:
- enjoy_comodo_ssl.crt
- commercial.key
- Entrust Root
- intermediate certificate (AAA Intermediate)
With "Entrust Root" and "intermediate certificate" I create one file
and
that put in: ssl_ca_chain_file
I created that file this way: cat EntrustSecureServerCA.crt
AAACertificateServices_2.crt > /tmp/ca_bundle.crt
I have modify the following lines:
ssl_cert_file /path/to/enjoy_comodo_ssl.crt
ssl_key_file /path/to/commercial.key
ssl_ca_chain_file /path/to/ca_bundle.crt
Then i restarted Perdition, and when i run:
openssl s_client -port 993
depth=0 /C=CL/postalCode=7561115/ST=Metropolitana/L=Santiago/streetAddress=Las
Condes/streetAddress=Av. Rosario Norte 555, Piso 10/O=Enjoy Gestion Ltda/OU=Servicios
Web/OU=Issued through Enjoy Gestion Ltda. E-PKI Manager/OU=Comodo PremiumSSL Wildcard
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=CL/postalCode=7561115/ST=Metropolitana/L=Santiago/streetAddress=Las
Condes/streetAddress=Av. Rosario Norte 555, Piso 10/O=Enjoy Gestion Ltda/OU=Servicios
Web/OU=Issued through Enjoy Gestion Ltda. E-PKI Manager/OU=Comodo PremiumSSL Wildcard
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=CL/postalCode=7561115/ST=Metropolitana/L=Santiago/streetAddress=Las
Condes/streetAddress=Av. Rosario Norte 555, Piso 10/O=Enjoy Gestion Ltda/OU=Servicios
Web/OU=Issued through Enjoy Gestion Ltda. E-PKI Manager/OU=Comodo PremiumSSL Wildcard
verify error:num=21:unable to verify the first certificate
verify return:1
Verify return code: 21 (unable to verify the first certificate)
Why can not verify the cert?, What i am doing wrong?
when i connect with Outlook I got the same error.
Thanks a lot...
Hi Michael,
sorry for the delay in responding.
Do not worry (Thank for reply)
I could be wrong but it appears that it is
s_client that is having trouble
virifying the certificate, not perdition. Perhaps you need to teach
s_client about EntrustSecureServerCA.crt and AAACertificateServices_2.crt ?
mmm, but.. when I connect from outside using a MUA (Outlook, or other)
I have the same problem, Outlook says: Your certificate is not from a
Truth CA.... So... i was wondering if the configuration that I already
did is right...., It is right? or I missing something?
Regards..
Michael.-
I could also be wrong, but looking at the man page I think you need to have your
cert formats in PEM.
If you are trying to replace the self signed certs then I would ask what the
previous working format was.
I have my self signed certs in PEM format and it works.
From the perdition manpage.
--ssl_cert_file FILENAME:
Certificate to use when listening for SSL or TLS connections. Should be in
PEM format.(default "/etc/perdition/perdition.crt.pem")
Also - I checked my CA Authorities on thunderbird and I see there is an
authority for Comodo. There *should* be one for outlook, but it is worth a look
to make sure.
--
Regs
-Tiz