0

I have a certificate from rapidssl. I run this command:

openssl s_client -showcerts -connect smtp.server.com:465

I get this error:

verify error:num=19:self signed certificate in certificate chain

Here is what I have in my postfix main.cf, and what I have done:

smtpd_tls_key_file = /etc/postfix/ssl/smtp.server.com.rsa.key (this is the private key)

smtpd_tls_cert_file = /etc/postfix/ssl/smtp.server.com.PUBLIC.key (this is the public key given to me by rapidssl)

smtpd_tls_CAfile = /etc/postfix/ssl/combo.csr.key This key has both the intermediate keys ON TOP, and the ROOT KEY on the bottom.

Here is the Intermediate keys. And here is the root CERT.

How can I use this RapidSSL Certificate?

Mark Henderson
  • 68,316
  • 31
  • 175
  • 255
technobuddha
  • 9
  • 1
  • 2

1 Answers1

2

Your test is wrong. You have not given openssl any trusted CAs.

Your CApath may vary, but you'll need to issue something like this: 

openssl s_client -showcerts -connect smtp.domain.tld:465 -CApath /etc/ssl/certs

Edit:

I gather from your comment that you don't get it, so let's try this again without even bothering with smtp shall we? This will ensure that your mailserver at least trusts itself.

openssl verify -CAfile /etc/postfix/ssl/combo.csr.key /etc/postfix/ssl/smtp.server.com.PUBLIC.key

Also, because you don't redact well, I can tell you that your servers certs are fine as far as TLS is concered.

$ openssl s_client -connect smtp.pplsnet.com:465 -CApath /etc/ssl/certs/
CONNECTED(00000003)
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA
verify return:1
depth=0 serialNumber = MVOZF4NDnc-opzbqaWlvgmGVoNEC8Zrv, OU = GT40129440, OU = See www.rapidssl.com/resources/cps (c)12, OU = Domain Control Validated - RapidSSL(R), CN = smtp.pplsnet.com
verify return:1
---
Certificate chain
 0 s:/serialNumber=MVOZF4NDnc-opzbqaWlvgmGVoNEC8Zrv/OU=GT40129440/OU=See www.rapidssl.com/resources/cps (c)12/OU=Domain Control Validated - RapidSSL(R)/CN=smtp.pplsnet.com
   i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
 1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
 3 s:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFJjCCBA6gAwIBAgIDCBhiMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew
HhcNMTIwOTA0MDQ0NTQ3WhcNMTMwODI2MDQwMTA1WjCBvzEpMCcGA1UEBRMgTVZP
WkY0TkRuYy1vcHpicWFXbHZnbUdWb05FQzhacnYxEzARBgNVBAsTCkdUNDAxMjk0
NDAxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29tL3Jlc291cmNlcy9jcHMg
KGMpMTIxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZhbGlkYXRlZCAtIFJhcGlk
U1NMKFIpMRkwFwYDVQQDExBzbXRwLnBwbHNuZXQuY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAuuC6WaNTpjs0iHxJ8sx9pdVd6MGaMs7WV8OXQrre
iiioGj/SrVEgnfT9j0OOZSIaFPrFySR029cbv2LUyXJoYrQXqHjqwpqoX4VFsBeq
3wDYi2jvxIge8a8RZPaHM7lUwrvPzGEraatu6z4KiVVu5jvzYsZYroaMifCh9GPw
mP2vrkzv4kkSOwwpKpVxhguIzR68RHOW2gT5aHBZr+JLUR3CJ78n0PIaUy0DrvMB
UTKYEwelwjcRA7PsEj42nGjNGAbQS6jLdkHwciKYZwNs9V2UHzk+avBmpuZHpdtk
3ErH/QnZkZflDSP+i2Xdlt56jVPJz2Fu2Kij9b6GuK+PawIDAQABo4IBqzCCAacw
HwYDVR0jBBgwFoAUa2k9ahhCSt2PAmU5/TUkhniRFjAwDgYDVR0PAQH/BAQDAgWg
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAbBgNVHREEFDASghBzbXRw
LnBwbHNuZXQuY29tMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9yYXBpZHNzbC1j
cmwuZ2VvdHJ1c3QuY29tL2NybHMvcmFwaWRzc2wuY3JsMB0GA1UdDgQWBBRJ9LK+
luuNvnbqNYriz/oZLWfuojAMBgNVHRMBAf8EAjAAMHgGCCsGAQUFBwEBBGwwajAt
BggrBgEFBQcwAYYhaHR0cDovL3JhcGlkc3NsLW9jc3AuZ2VvdHJ1c3QuY29tMDkG
CCsGAQUFBzAChi1odHRwOi8vcmFwaWRzc2wtYWlhLmdlb3RydXN0LmNvbS9yYXBp
ZHNzbC5jcnQwTAYDVR0gBEUwQzBBBgpghkgBhvhFAQc2MDMwMQYIKwYBBQUHAgEW
JWh0dHA6Ly93d3cuZ2VvdHJ1c3QuY29tL3Jlc291cmNlcy9jcHMwDQYJKoZIhvcN
AQEFBQADggEBAHj6Yb4MbdFIjQe47EGXdfv4GMp/Ioq0/xdwVByMsDCOGmjz5ky3
LWfiZy4FLc8dvthw98xVRMDH1SoKKVjTWOc2amp9IlHcKhODiqQuQhMD2EvFR1gX
y/jGn665OgGJVpRAJWRPgXyhhySTGQLFcLlKTe1hYLFVwCmfnXM9n8M/Xkg2EyJ3
79p4n5+TIWYMC4HqggUiLfj56+QZFTEoJh06tObJhE7LauEpqfHO8iA7Tv/9+RF3
K/SBv0WgUhk70b0ZFpqXBR9f7ghLv0YObEj7qtTOgsZvcnil/2XIjAnPZQdITxfL
T9xEmirxPHk5gnbzN83fxbeGAnVv4YQsV8I=
-----END CERTIFICATE-----
subject=/serialNumber=MVOZF4NDnc-opzbqaWlvgmGVoNEC8Zrv/OU=GT40129440/OU=See www.rapidssl.com/resources/cps (c)12/OU=Domain Control Validated - RapidSSL(R)/CN=smtp.pplsnet.com
issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
---
No client certificate CA names sent
---
SSL handshake has read 4879 bytes and written 409 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 02AC15DBA8798D4D93453CA5A3E4E5AB00EDBF94DD3A438E55E8C5BAECC5C4CE
    Session-ID-ctx: 
    Master-Key: 1CB30B2974C794CDF8608F1D2819FBFA9C7DC6A4BE4F9F69B6369A5F05DDBB21F1830D952B7D72C6E747A764DBB1D2FE
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket:
    0000 - 98 6f 77 64 69 04 ed 23-98 96 7a 10 38 45 1c 90   .owdi..#..z.8E..
    0010 - 4a 37 c2 5c 9c 43 06 9d-d7 69 65 b1 07 d2 27 40   J7.\.C...ie...'@
    0020 - 34 81 91 46 ce 0d d1 02-b0 e2 95 79 85 39 42 f8   4..F.......y.9B.
    0030 - b5 e9 ac a0 fa d9 bf d0-25 0d f4 71 f5 1e ff 42   ........%..q...B
    0040 - 44 1b 6f d0 87 27 46 78-05 ce ce 4d 4b 59 88 d9   D.o..'Fx...MKY..
    0050 - e1 42 b2 43 40 2c 22 7b-ca 72 86 d1 e8 bd dd 3d   .B.C@,"{.r.....=
    0060 - e3 5b 8b fa a9 54 47 8c-91 e2 96 e6 a1 6b 17 ea   .[...TG......k..
    0070 - a1 1b fc 9f 49 8f 11 e8-fa b2 59 d6 2a 77 66 5b   ....I.....Y.*wf[
    0080 - 88 25 d7 12 e6 08 7d 64-d4 4d 60 cc ea f3 f9 d2   .%....}d.M`.....
    0090 - 12 c6 b8 95 b0 66 21 e3-2d d2 2f e9 f1 96 cc 35   .....f!.-./....5
    00a0 - a6 3a 7c 2f 8f 71 24 91-30 b5 fc 2f d0 e6 a1 f4   .:|/.q$.0../....

    Compression: 1 (zlib compression)
    Start Time: 1347395676
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
220 smtp.pplsnet.com
quit
221 2.0.0 Bye
closed
84104
  • 12,698
  • 6
  • 43
  • 75
  • but if its a mail server, then the mail server should provide the CA as well.... This is the issue with rapidssl if I understand, that a lot of the mail clients don't have the new one.... – technobuddha Sep 11 '12 at 20:18
  • openssl s_client -showcerts -CApath /etc/postfix/ssl/ROOT.Equifax_Secure_Certificate_Authority.cer -connect localhost:465 depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority verify return:1 depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify return:1 depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA verify return:1 depth=0 serialNumber = MVOZF4NDnc-opzbqaWlvgmGVoNEC8Zrv, OU = GT40129440, OU = See www.rapidssl.com/resources/cps (c)12, OU = Domain Control Validated - RapidSSL(R), CN = smtp.pplsnet.com verify return:1 – technobuddha Sep 11 '12 at 20:18
  • I'll work on my redact..ing skills. thanks for the input. so, from what your saying, the openssl client side is doing everything its meant to do, and the return result is fine. although I thought verify return:1 meant an error? – technobuddha Sep 11 '12 at 20:41
  • `openssl verify` codes are not process exit codes. http://www.openssl.org/docs/apps/verify.html#DIAGNOSTICS a value of 1 means continue processing http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html#NOTES – 84104 Sep 11 '12 at 20:45
  • ok so then i guess i'm doing the testing wrong. How does one verify that the client is able to get all the certs needed? for some reason, NONE of the client I use will work with TLS, they all hang. and i think it has to do with the fact they don't have the root certificate. so I don't know what order they should be placed into a .pem file? how do I go about testing that it works? – technobuddha Sep 16 '12 at 18:53
  • There is something you should be aware of, `Compression must be disabled` when serving over SSL, otherwise, you expose SSL to `vulnerability 'Beast Attack'` – Digital site Jul 19 '15 at 05:22