Hi Mark!

If I understand it correctly, the problem is on the phone. Which phone do you use?

How does the phone handle the CA certs? Can you specify multiple files? Can you upload the intermediate CA instead of the root CA to the phone?

How is your openser configured? Have you added the intermediate certificate into the CA file? I think if you will it it to the CA file, openssl will send not only the server certificate to the client, but the whole certificate chain.

regards klaus

Mark Price wrote:

Can I have some recommendations about what company and what package to go with for a certificate to work with openser? I have a cert from godaddy, and it seems that it won't work with openser because of the intermediate certificate that they require you to use.

Godaddy issues a certificate, a private key and an intermediate certificate (the intermediate certificate So openser loads just fine if I set: tls_certifcate=cert.pem tls_preivate_key=cert.key

but the phone still fails to validate the certificate, because there is no place to specify the intermediate certificate. The intermediate certificate is the one that corresponds to the apache2 ssl directive SSLCertificateChainFile.

The phone says: Registration Error: 503 - Certificate Validation Failure

and the openser logs say: 7(7201) tls_accept: Error in SSL: 7(7201) tls_error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca

Thanks, Mark Price

---

---

Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users