[openssl-users] Verifying a certificate chain

Yan Seiner yan at seiner.com
Sun Oct 4 11:03:50 UTC 2015


I am trying to figure out what I have done wrong.

I have a certificate from PositiveSSL for my email server.  I have the 
root certificate and the intermediate certs installed in /etc/ssl/certs/.

However, I still cannot verify my certificate.  I can't figure out what 
I have done wrong.  I've been wrestling with this for a long time, and I 
am out of ideas.

I am not that familiar with ssl certs - they usually "just work". This 
one, however, is kicking my butt.

an at yan-ThinkPad-W530:~$ openssl s_client -connect mail.seiner.com:587 
-starttls smtp
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = 
mail.seiner.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = 
mail.seiner.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = 
mail.seiner.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
  0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=mail.seiner.com
    i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA 
Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFUTCCBDmgAwIBAgIQQZM9mOpCf6BQO3apU1Xk4jANBgkqhkiG9w0BAQsFADCB
kDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNjA0BgNV
BAMTLUNPTU9ETyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD
QTAeFw0xNTEwMDEwMDAwMDBaFw0xODEwMjYyMzU5NTlaMFMxITAfBgNVBAsTGERv
bWFpbiBDb250cm9sIFZhbGlkYXRlZDEUMBIGA1UECxMLUG9zaXRpdmVTU0wxGDAW
BgNVBAMTD21haWwuc2VpbmVyLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAKzE7KEEg4I5zIkNa9PzNvDXJLJ0jFb+BXrC80CP0WgcnzDk4+M2tp9I
WK3h8zHVAMj4mIUbzZYYYys0J5WyjlGclk6bPnYcuCyhyZkeevq3ZkIEbNPNlO2K
ao0K9kjuLZomIPVaXsp2xtHuWU6u/Sz+XXIvlTaLuLxM6p74Z8R7DyM3iMa3/8XN
1OT624BKq6xFCas1gMPjAsLrCltDAkQIAT3pute2IsnoL082HSL0Lz8IEPELvwX0
eEmJrkB9mKvk6OoQApaZT1nZlUKtP/xfQSRt8dajR+IJWBkTG8zcWPwgReWgW5nZ
3hT07SKvYsCQO0LU6lxsQmn4UwH74GMCAwEAAaOCAeEwggHdMB8GA1UdIwQYMBaA
FJCvajqUWgvYkOoSVnPfQ7Q6KNrnMB0GA1UdDgQWBBS7eRbyTVxk3hndQRXlC46K
ExFddDAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggr
BgEFBQcDAQYIKwYBBQUHAwIwTwYDVR0gBEgwRjA6BgsrBgEEAbIxAQICBzArMCkG
CCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8uY29tL0NQUzAIBgZngQwB
AgEwVAYDVR0fBE0wSzBJoEegRYZDaHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09N
T0RPUlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNybDCBhQYIKwYB
BQUHAQEEeTB3ME8GCCsGAQUFBzAChkNodHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9D
T01PRE9SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3J0MCQGCCsG
AQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wLwYDVR0RBCgwJoIPbWFp
bC5zZWluZXIuY29tghN3d3cubWFpbC5zZWluZXIuY29tMA0GCSqGSIb3DQEBCwUA
A4IBAQAWAEcGiQmPdeaFvK+oGumzeecVdmXYbYfuQ71kFrlmH+O/Ju9beKcF+D4D
ZiybDREpzG9p3u2sCVhExttL1QL4tJejMnsIupnzNtWcFZfVt4c8Sf0ed8Q+DL91
vTjrBQ5t2sRVzqfMYv+VC/TCK/5bQwcGwfKRKP7JNwBSz3/QBN6UhJfaiN6gzMSQ
s7Mn6Et4xrkiyeJIrxEgkdiStccH9EDZP9ZSY9SEd4xLHopKF9Mvkt/2Wrkmv4Az
Kn+zccB8XDaceNgAw3AMwg4bLLK5u9T96cKQ3Eo4E1yvdVMmHNeP5t/Teb0xoTsT
hAol+K8Jw30Oi3rLOYHiug5InS6m
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=mail.seiner.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA 
Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 3057 bytes and written 698 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
     Protocol  : TLSv1.2
     Cipher    : DHE-RSA-AES256-SHA256
     Session-ID: 
E685C52BC4BB67DA59B0CB7B5EF99D3CD64A70C7209E2D7AFF964B0671CA7878
     Session-ID-ctx:
     Master-Key: 
04DE100CFDE53A47F9220EEDE393F026680F0543309EA1CD327B2AB088AB8529D6C2E2FB68223308E84EB3F07BCBBD2D
     Key-Arg   : None
     PSK identity: None
     PSK identity hint: None
     SRP username: None
     Start Time: 1443956465
     Timeout   : 300 (sec)
     Verify return code: 21 (unable to verify the first certificate)
---
250 HELP



More information about the openssl-users mailing list