	cosign-discuss at umich.edu
	general discussion of cosign development and deployment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: unknown CA

To: Sam Noble <nobles@xxxxxxxx>
Subject: Re: unknown CA
From: Graeme Wood <Graeme.Wood@xxxxxxxx>
Date: Mon, 26 Jul 2004 19:09:37 +0100
Cc: cosign-discuss@xxxxxxxxx
In-reply-to: <20040726104148.A28529@rogue.shadow.org>
References: <20040726104148.A28529@rogue.shadow.org>

On 26 Jul 2004, at 18:41, Sam Noble wrote:

I suspect that the majority of my problem stems from my lack of experience with OpenSSL.

The following error is plaguing me and hopefully somebody here will have some insight:

Jul 21 14:23:50 machine cosignd[25423]: f_starttls: snet_starttls: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca Jul 21 14:23:50 machine cosignd[25423]: snet_getline: Connection reset by peer

I have configured cosignd with:

COSIGNCERT=/usr/local/cosign/certs/weblogin-bundle.pem

where weblogin-bundle.pem was generated by

cat weblogin.crt thawte.pem > weblogin-bundle.pem
Note that I saw the same thing when thawte.pem was in my CADIR (and
properly hashed) and I was using COSIGNCERT=/path/to/weblogin.crt
It is my belief that thawte.pem has the appropriate data inside because in either case, using

openssl verify -purpose sslclient/sslserver -capath <proper path> weblogin.crt (or weblogin-bundle.pem with the *wrong* capath/cafile)

succeeds.

The apache2 cosign filter reports the following when configured with the same parameters (and the same cert) on the same machine:

[Wed Jul 21 13:41:59 2004] [error] [client 134.X.X.X] snet_starttls: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

I don't really understand why I'm having MORE trouble using certificates that I've paid for than I did with certificates that I signed myself.

The ones you sign yourself are both client and server certificates. The ones you buy tend to be server-only. At least that is the problem we had with ones we bought, so we just use locally signed certificates for the SSL communication between the cosign servers and the web servers.

--

======================================================================== ===== Graeme Wood Email: Graeme.Wood@xxxxxxxx Unix Systems Support Phone: +44 131 650 5003 The University of Edinburgh Fax: +44 131 650 6552 ======================================================================== =====

References:
- unknown CA
  - From: Sam Noble

Prev by Date: unknown CA
Next by Date: Re: replication
Previous by thread: unknown CA
Next by thread: Re: unknown CA
Index(es):
- Date
- Thread