	cosign-discuss at umich.edu
	general discussion of cosign development and deployment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

unknown CA

To: cosign-discuss@xxxxxxxxx
Subject: unknown CA
From: Sam Noble <nobles@xxxxxxxx>
Date: Mon, 26 Jul 2004 10:41:48 -0700
User-agent: Mutt/1.2.5.1i

I suspect that the majority of my problem stems from my lack of experience
with OpenSSL.

The following error is plaguing me and hopefully somebody here will have
some insight:

Jul 21 14:23:50 machine cosignd[25423]: f_starttls: snet_starttls: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
Jul 21 14:23:50 machine cosignd[25423]: snet_getline: Connection reset by peer



I have configured cosignd with:

COSIGNCERT=/usr/local/cosign/certs/weblogin-bundle.pem

where weblogin-bundle.pem was generated by

cat weblogin.crt thawte.pem > weblogin-bundle.pem

Note that I saw the same thing when thawte.pem was in my CADIR (and
properly hashed) and I was using COSIGNCERT=/path/to/weblogin.crt


It is my belief that thawte.pem has the appropriate data inside because in
either case, using 

openssl verify -purpose sslclient/sslserver -capath <proper path> weblogin.crt (or weblogin-bundle.pem with the *wrong* capath/cafile) 

succeeds.


The apache2 cosign filter reports the following when configured with the
same parameters (and the same cert) on the same machine:

[Wed Jul 21 13:41:59 2004] [error] [client 134.X.X.X] snet_starttls: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed


I don't really understand why I'm having MORE trouble using certificates
that I've paid for than I did with certificates that I signed myself.

Follow-Ups:
- Re: unknown CA
  - From: Graeme Wood
- Re: unknown CA
  - From: kevin mcgowan

Prev by Date: replication
Next by Date: Re: unknown CA
Previous by thread: Re: replication
Next by thread: Re: unknown CA
Index(es):
- Date
- Thread