This actually applies to a bunch of other services we use this same certificate for, but the way Apache does this is the most obvious and contradictory when you compare the test results.
We have a wildcard certificate on our website at https://webmail.lightspeed.ca. Web browsers give our clients a green lock, GeoTrust's CryptoReport at https://cryptoreport.geotrust.com/checker/ tells me that our certificate is installed correctly. Yet when I try to use openssl s_client -connect webmail.lightspeed.ca:443
, I get the error Verify return code: 20 (unable to get local issuer certificate)
This is what our Apache configuration looks like for SSL:
SSLEngine on
SSLCertificateFile /mailhome/webmail.lightspeed.ca/ssl.cert
SSLCertificateKeyFile /mailhome/webmail.lightspeed.ca/ssl.key
SSLCACertificateFile /etc/ssl/certs/GeoTrust_DV_SSL_CA-G3.pem
While I understand that the connection is being encrypted, evidently this error message also means that I'm not being fully verified as who I say I am. This is problematic when we apply these same certificates to say, our SMTP or POP server, as some clients (like Outlook for Android) are really anal about this stuff. The test at http://www.checktls.com/perl/TestReceiver.pl doesn't like this, for example, and we get the error Cert NOT VALIDATED: unable to get local issuer certificate
. I find that really weird, because the file GeoTrust_DV_SSL_CA-G3.pem is our intermediate CA certificate. And it's Geotrust's CA for our particular kind of wildcard cert.
This has been nothing but a source of aggravation for me. Your help would be greatly appreciated.
When you use a browser, or testing using the various online tools, you use preconfigured trust anchors (Root CA certificate) whereas
openssl
runs with a different set of trust anchors, usually defined and distributed by your distro.You need to tell
openssl
where your trust anchor is located using the-CAfile <filename>
option.If
openssl
doesn't trust your website's trust anchor then you'll nee to download it from your CA then pass it toopenssl
with the-CAfile
option. Once you've done that,openssl
will trust the whole chain and will stop giving you that error message.