• 3
name

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191

Backtrace:

File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

This actually applies to a bunch of other services we use this same certificate for, but the way Apache does this is the most obvious and contradictory when you compare the test results.

We have a wildcard certificate on our website at https://webmail.lightspeed.ca. Web browsers give our clients a green lock, GeoTrust's CryptoReport at https://cryptoreport.geotrust.com/checker/ tells me that our certificate is installed correctly. Yet when I try to use openssl s_client -connect webmail.lightspeed.ca:443, I get the error Verify return code: 20 (unable to get local issuer certificate)

This is what our Apache configuration looks like for SSL:

SSLEngine on
SSLCertificateFile /mailhome/webmail.lightspeed.ca/ssl.cert
SSLCertificateKeyFile /mailhome/webmail.lightspeed.ca/ssl.key
SSLCACertificateFile /etc/ssl/certs/GeoTrust_DV_SSL_CA-G3.pem

While I understand that the connection is being encrypted, evidently this error message also means that I'm not being fully verified as who I say I am. This is problematic when we apply these same certificates to say, our SMTP or POP server, as some clients (like Outlook for Android) are really anal about this stuff. The test at http://www.checktls.com/perl/TestReceiver.pl doesn't like this, for example, and we get the error Cert NOT VALIDATED: unable to get local issuer certificate. I find that really weird, because the file GeoTrust_DV_SSL_CA-G3.pem is our intermediate CA certificate. And it's Geotrust's CA for our particular kind of wildcard cert.

This has been nothing but a source of aggravation for me. Your help would be greatly appreciated.

When you use a browser, or testing using the various online tools, you use preconfigured trust anchors (Root CA certificate) whereas openssl runs with a different set of trust anchors, usually defined and distributed by your distro.

You need to tell openssl where your trust anchor is located using the -CAfile <filename> option.

If openssl doesn't trust your website's trust anchor then you'll nee to download it from your CA then pass it to openssl with the -CAfile option. Once you've done that, openssl will trust the whole chain and will stop giving you that error message.

  • 1
Reply Report
    • Openssl is supposed to use the CA certificates in /etc/ssl/certs, isn't it? Also, I'm pretty sure this also means that we'd have to get our clients on Android phones to download and install the "right" CA somehow.
    • Yes, or thereabouts. The exact path depends on your distro. But they aren't necessarily the same as the ones used in browsers and therefore this collection may not include the one that's signed your certificate. Browsers and that could include Android browsers may use a different set that do include the root CA that is the trust anchor for your certificate.

Trending Tags