postfix、TLS 和 rapidssl - “验证错误:num=19:无法获取本地颁发者证书”

postfix、TLS 和 rapidssl - “验证错误:num=19:无法获取本地颁发者证书”

我有 rapidssl 的证书。我运行以下命令:

openssl s_client -showcerts -connect smtp.server.com:465

我收到此错误:

verify error:num=19:self signed certificate in certificate chain

以下是我的 postfix 中的内容main.cf以及我所做的事情:

smtpd_tls_key_file = /etc/postfix/ssl/smtp.server.com.rsa.key (这是私钥)

smtpd_tls_cert_file = /etc/postfix/ssl/smtp.server.com.PUBLIC.key (这是 rapidssl 给我的公钥)

smtpd_tls_CAfile = /etc/postfix/ssl/combo.csr.key 此键的顶部有中间键,底部有根键。

这是中级键。 和这是根证书

我如何使用此 RapidSSL 证书?

答案1

您的测试是错误的。您没有提供openssl任何受信任的 CA。

您的情况CApath可能会有所不同,但您需要发出如下内容:

openssl s_client -showcerts -connect smtp.domain.tld:465 -CApath /etc/ssl/certs

编辑:

我从你的评论中得知你不明白,所以让我们再试一次,甚至不用 smtp 好吗?这将确保你的邮件服务器至少信任自己。

openssl verify -CAfile /etc/postfix/ssl/combo.csr.key /etc/postfix/ssl/smtp.server.com.PUBLIC.key

此外,由于您的编辑不太好,我可以告诉您,就 TLS 而言,您的服务器证书没有问题。

$ openssl s_client -connect smtp.pplsnet.com:465 -CApath /etc/ssl/certs/
CONNECTED(00000003)
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA
verify return:1
depth=0 serialNumber = MVOZF4NDnc-opzbqaWlvgmGVoNEC8Zrv, OU = GT40129440, OU = See www.rapidssl.com/resources/cps (c)12, OU = Domain Control Validated - RapidSSL(R), CN = smtp.pplsnet.com
verify return:1
---
Certificate chain
 0 s:/serialNumber=MVOZF4NDnc-opzbqaWlvgmGVoNEC8Zrv/OU=GT40129440/OU=See www.rapidssl.com/resources/cps (c)12/OU=Domain Control Validated - RapidSSL(R)/CN=smtp.pplsnet.com
   i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
 1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
 3 s:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFJjCCBA6gAwIBAgIDCBhiMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew
HhcNMTIwOTA0MDQ0NTQ3WhcNMTMwODI2MDQwMTA1WjCBvzEpMCcGA1UEBRMgTVZP
WkY0TkRuYy1vcHpicWFXbHZnbUdWb05FQzhacnYxEzARBgNVBAsTCkdUNDAxMjk0
NDAxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29tL3Jlc291cmNlcy9jcHMg
KGMpMTIxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZhbGlkYXRlZCAtIFJhcGlk
U1NMKFIpMRkwFwYDVQQDExBzbXRwLnBwbHNuZXQuY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAuuC6WaNTpjs0iHxJ8sx9pdVd6MGaMs7WV8OXQrre
iiioGj/SrVEgnfT9j0OOZSIaFPrFySR029cbv2LUyXJoYrQXqHjqwpqoX4VFsBeq
3wDYi2jvxIge8a8RZPaHM7lUwrvPzGEraatu6z4KiVVu5jvzYsZYroaMifCh9GPw
mP2vrkzv4kkSOwwpKpVxhguIzR68RHOW2gT5aHBZr+JLUR3CJ78n0PIaUy0DrvMB
UTKYEwelwjcRA7PsEj42nGjNGAbQS6jLdkHwciKYZwNs9V2UHzk+avBmpuZHpdtk
3ErH/QnZkZflDSP+i2Xdlt56jVPJz2Fu2Kij9b6GuK+PawIDAQABo4IBqzCCAacw
HwYDVR0jBBgwFoAUa2k9ahhCSt2PAmU5/TUkhniRFjAwDgYDVR0PAQH/BAQDAgWg
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAbBgNVHREEFDASghBzbXRw
LnBwbHNuZXQuY29tMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9yYXBpZHNzbC1j
cmwuZ2VvdHJ1c3QuY29tL2NybHMvcmFwaWRzc2wuY3JsMB0GA1UdDgQWBBRJ9LK+
luuNvnbqNYriz/oZLWfuojAMBgNVHRMBAf8EAjAAMHgGCCsGAQUFBwEBBGwwajAt
BggrBgEFBQcwAYYhaHR0cDovL3JhcGlkc3NsLW9jc3AuZ2VvdHJ1c3QuY29tMDkG
CCsGAQUFBzAChi1odHRwOi8vcmFwaWRzc2wtYWlhLmdlb3RydXN0LmNvbS9yYXBp
ZHNzbC5jcnQwTAYDVR0gBEUwQzBBBgpghkgBhvhFAQc2MDMwMQYIKwYBBQUHAgEW
JWh0dHA6Ly93d3cuZ2VvdHJ1c3QuY29tL3Jlc291cmNlcy9jcHMwDQYJKoZIhvcN
AQEFBQADggEBAHj6Yb4MbdFIjQe47EGXdfv4GMp/Ioq0/xdwVByMsDCOGmjz5ky3
LWfiZy4FLc8dvthw98xVRMDH1SoKKVjTWOc2amp9IlHcKhODiqQuQhMD2EvFR1gX
y/jGn665OgGJVpRAJWRPgXyhhySTGQLFcLlKTe1hYLFVwCmfnXM9n8M/Xkg2EyJ3
79p4n5+TIWYMC4HqggUiLfj56+QZFTEoJh06tObJhE7LauEpqfHO8iA7Tv/9+RF3
K/SBv0WgUhk70b0ZFpqXBR9f7ghLv0YObEj7qtTOgsZvcnil/2XIjAnPZQdITxfL
T9xEmirxPHk5gnbzN83fxbeGAnVv4YQsV8I=
-----END CERTIFICATE-----
subject=/serialNumber=MVOZF4NDnc-opzbqaWlvgmGVoNEC8Zrv/OU=GT40129440/OU=See www.rapidssl.com/resources/cps (c)12/OU=Domain Control Validated - RapidSSL(R)/CN=smtp.pplsnet.com
issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
---
No client certificate CA names sent
---
SSL handshake has read 4879 bytes and written 409 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 02AC15DBA8798D4D93453CA5A3E4E5AB00EDBF94DD3A438E55E8C5BAECC5C4CE
    Session-ID-ctx: 
    Master-Key: 1CB30B2974C794CDF8608F1D2819FBFA9C7DC6A4BE4F9F69B6369A5F05DDBB21F1830D952B7D72C6E747A764DBB1D2FE
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket:
    0000 - 98 6f 77 64 69 04 ed 23-98 96 7a 10 38 45 1c 90   .owdi..#..z.8E..
    0010 - 4a 37 c2 5c 9c 43 06 9d-d7 69 65 b1 07 d2 27 40   J7.\.C...ie...'@
    0020 - 34 81 91 46 ce 0d d1 02-b0 e2 95 79 85 39 42 f8   4..F.......y.9B.
    0030 - b5 e9 ac a0 fa d9 bf d0-25 0d f4 71 f5 1e ff 42   ........%..q...B
    0040 - 44 1b 6f d0 87 27 46 78-05 ce ce 4d 4b 59 88 d9   D.o..'Fx...MKY..
    0050 - e1 42 b2 43 40 2c 22 7b-ca 72 86 d1 e8 bd dd 3d   .B.C@,"{.r.....=
    0060 - e3 5b 8b fa a9 54 47 8c-91 e2 96 e6 a1 6b 17 ea   .[...TG......k..
    0070 - a1 1b fc 9f 49 8f 11 e8-fa b2 59 d6 2a 77 66 5b   ....I.....Y.*wf[
    0080 - 88 25 d7 12 e6 08 7d 64-d4 4d 60 cc ea f3 f9 d2   .%....}d.M`.....
    0090 - 12 c6 b8 95 b0 66 21 e3-2d d2 2f e9 f1 96 cc 35   .....f!.-./....5
    00a0 - a6 3a 7c 2f 8f 71 24 91-30 b5 fc 2f d0 e6 a1 f4   .:|/.q$.0../....

    Compression: 1 (zlib compression)
    Start Time: 1347395676
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
220 smtp.pplsnet.com
quit
221 2.0.0 Bye
closed

相关内容