unknown CA

[Sam Noble <nobles@xxxxxxxx>]

I suspect that the majority of my problem stems from my lack of experience
with OpenSSL.

The following error is plaguing me and hopefully somebody here will have
some insight:

Jul 21 14:23:50 machine cosignd[25423]: f_starttls: snet_starttls: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
Jul 21 14:23:50 machine cosignd[25423]: snet_getline: Connection reset by peer



I have configured cosignd with:

COSIGNCERT=/usr/local/cosign/certs/weblogin-bundle.pem

where weblogin-bundle.pem was generated by

cat weblogin.crt thawte.pem > weblogin-bundle.pem

Note that I saw the same thing when thawte.pem was in my CADIR (and
properly hashed) and I was using COSIGNCERT=/path/to/weblogin.crt


It is my belief that thawte.pem has the appropriate data inside because in
either case, using 

openssl verify -purpose sslclient/sslserver -capath <proper path> weblogin.crt (or weblogin-bundle.pem with the *wrong* capath/cafile) 

succeeds.


The apache2 cosign filter reports the following when configured with the
same parameters (and the same cert) on the same machine:

[Wed Jul 21 13:41:59 2004] [error] [client 134.X.X.X] snet_starttls: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed


I don't really understand why I'm having MORE trouble using certificates
that I've paid for than I did with certificates that I signed myself.