WebFaction
Community site: login faq

Did Webfaction change the certificate it uses on smtp.webfaction.com? Attempting to send email, I'm getting an SSL error that I'm missing the needed root certificate. This only started for me today and I've not changed the certificate configuration on my system. I'm running OS X 10.6.8.

I don't have this problem with IMAP over SSL at mail.webfaction.com, but that server is using a different certificate.

If this behavior is appropriate, where can I safely get the missing root certificate?

(This is a wee bit annoying.)

The certificate in question:

-----BEGIN CERTIFICATE-----
MIIFNjCCBB6gAwIBAgIDDUipMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew
HhcNMTMwNzMwMTQzMTM3WhcNMTUxMTAyMDMyNjMyWjCBvzEpMCcGA1UEBRMgODJV
eENvR1ljSVFRdkhvTi9LM2txZGN4ZmIvUHdDRUoxEzARBgNVBAsTCkdUMzIwNDU0
NTUxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29tL3Jlc291cmNlcy9jcHMg
KGMpMTMxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZhbGlkYXRlZCAtIFJhcGlk
U1NMKFIpMRkwFwYDVQQDDBAqLndlYmZhY3Rpb24uY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAmtjgVfqhvvikwvhgqdph0erpraYEF3HIapNzcLk7
zA5GcljZqPc0wJBTxmdMAQBUq9iyBRfrCPqy51YqSIZiq2Dj9UOnuEScWMaU5oi/
b/RmtzR/l6TvgeQvzG8tjV62Rr+YEwc9uEEX2XCsDSoRl5UH8kQ04gLzReAwb+Is
0CsXRCXtit4tNCRMyvAVTxXJyn2nS92CU0AMHZ5FwR0ES0T9Hi6UaS/SRUu+v6a0
jltmZqZkM9QWkM55SYzWE4o8qlpY4db2YvXdvhBhf/OiABx/xjfX5jRkTaa4qsoh
sdhdbmizJ3iB/l9Lx2XHyO61jstWREZhuC6a31nOynGMWwIDAQABo4IBuzCCAbcw
HwYDVR0jBBgwFoAUa2k9ahhCSt2PAmU5/TUkhniRFjAwDgYDVR0PAQH/BAQDAgWg
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjArBgNVHREEJDAighAqLndl
YmZhY3Rpb24uY29tgg53ZWJmYWN0aW9uLmNvbTBDBgNVHR8EPDA6MDigNqA0hjJo
dHRwOi8vcmFwaWRzc2wtY3JsLmdlb3RydXN0LmNvbS9jcmxzL3JhcGlkc3NsLmNy
bDAdBgNVHQ4EFgQU5ULOgPWtmrZTyk7A/9PRvQieAdUwDAYDVR0TAQH/BAIwADB4
BggrBgEFBQcBAQRsMGowLQYIKwYBBQUHMAGGIWh0dHA6Ly9yYXBpZHNzbC1vY3Nw
Lmdlb3RydXN0LmNvbTA5BggrBgEFBQcwAoYtaHR0cDovL3JhcGlkc3NsLWFpYS5n
ZW90cnVzdC5jb20vcmFwaWRzc2wuY3J0MEwGA1UdIARFMEMwQQYKYIZIAYb4RQEH
NjAzMDEGCCsGAQUFBwIBFiVodHRwOi8vd3d3Lmdlb3RydXN0LmNvbS9yZXNvdXJj
ZXMvY3BzMA0GCSqGSIb3DQEBBQUAA4IBAQBkSsDrVu7JxIAGLrz9XaYXJuar4qKG
zE+Ykdna4fly/bbNIbgg76J07DEAtGSHTxWkXP54vaXjIJmEof5M7/XiNG8Mp9Uz
eSvMWRLF1x8AmGQ5H1cA8coyGF7M+H9w4kBVZBjrad5R4HX3ty0vx4tkE50o5XyX
WSaNzWZEsDxWK0oIIeLEZXPjNS8ILjYmRi3Oji0ELfRKCcNRokdPa1tOJb+R4OB3
rDWnc2f65lSFJRNDwdFfIEFz/Sgd2C04HYIbJ8+9U+HM5FDlhZsZ1bfuEOqurB8J
NFGw9Uvo17abyDqpQfDQgPNY2TDC0v7i5SsDBCWBUcR70H3Smt1wlyk5
-----END CERTIFICATE-----

That is to say...

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 870569 (0xd48a9)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=GeoTrust, Inc., CN=RapidSSL CA
        Validity
            Not Before: Jul 30 14:31:37 2013 GMT
            Not After : Nov  2 03:26:32 2015 GMT
        Subject: serialNumber=82UxCoGYcIQQvHoN/K3kqdcxfb/PwCEJ, OU=GT32045455, OU=See www.rapidssl.com/resources/cps (c)13, OU=Domain Control Validated - RapidSSL(R), CN=*.webfaction.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:9a:d8:e0:55:fa:a1:be:f8:a4:c2:f8:60:a9:da:
                    61:d1:ea:e9:ad:a6:04:17:71:c8:6a:93:73:70:b9:
                    3b:cc:0e:46:72:58:d9:a8:f7:34:c0:90:53:c6:67:
                    4c:01:00:54:ab:d8:b2:05:17:eb:08:fa:b2:e7:56:
                    2a:48:86:62:ab:60:e3:f5:43:a7:b8:44:9c:58:c6:
                    94:e6:88:bf:6f:f4:66:b7:34:7f:97:a4:ef:81:e4:
                    2f:cc:6f:2d:8d:5e:b6:46:bf:98:13:07:3d:b8:41:
                    17:d9:70:ac:0d:2a:11:97:95:07:f2:44:34:e2:02:
                    f3:45:e0:30:6f:e2:2c:d0:2b:17:44:25:ed:8a:de:
                    2d:34:24:4c:ca:f0:15:4f:15:c9:ca:7d:a7:4b:dd:
                    82:53:40:0c:1d:9e:45:c1:1d:04:4b:44:fd:1e:2e:
                    94:69:2f:d2:45:4b:be:bf:a6:b4:8e:5b:66:66:a6:
                    64:33:d4:16:90:ce:79:49:8c:d6:13:8a:3c:aa:5a:
                    58:e1:d6:f6:62:f5:dd:be:10:61:7f:f3:a2:00:1c:
                    7f:c6:37:d7:e6:34:64:4d:a6:b8:aa:ca:21:b1:d8:
                    5d:6e:68:b3:27:78:81:fe:5f:4b:c7:65:c7:c8:ee:
                    b5:8e:cb:56:44:46:61:b8:2e:9a:df:59:ce:ca:71:
                    8c:5b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:6B:69:3D:6A:18:42:4A:DD:8F:02:65:39:FD:35:24:86:78:91:16:30
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Alternative Name: 
                DNS:*.webfaction.com, DNS:webfaction.com
            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://rapidssl-crl.geotrust.com/crls/rapidssl.crl

            X509v3 Subject Key Identifier: 
                E5:42:CE:80:F5:AD:9A:B6:53:CA:4E:C0:FF:D3:D1:BD:08:9E:01:D5
            X509v3 Basic Constraints: critical
                CA:FALSE
            Authority Information Access: 
                OCSP - URI:http://rapidssl-ocsp.geotrust.com
                CA Issuers - URI:http://rapidssl-aia.geotrust.com/rapidssl.crt

            X509v3 Certificate Policies: 
                Policy: 2.16.840.1.113733.1.7.54
                  CPS: http://www.geotrust.com/resources/cps

    Signature Algorithm: sha1WithRSAEncryption
        64:4a:c0:eb:56:ee:c9:c4:80:06:2e:bc:fd:5d:a6:17:26:e6:
        ab:e2:a2:86:cc:4f:98:91:d9:da:e1:f9:72:fd:b6:cd:21:b8:
        20:ef:a2:74:ec:31:00:b4:64:87:4f:15:a4:5c:fe:78:bd:a5:
        e3:20:99:84:a1:fe:4c:ef:f5:e2:34:6f:0c:a7:d5:33:79:2b:
        cc:59:12:c5:d7:1f:00:98:64:39:1f:57:00:f1:ca:32:18:5e:
        cc:f8:7f:70:e2:40:55:64:18:eb:69:de:51:e0:75:f7:b7:2d:
        2f:c7:8b:64:13:9d:28:e5:7c:97:59:26:8d:cd:66:44:b0:3c:
        56:2b:4a:08:21:e2:c4:65:73:e3:35:2f:08:2e:36:26:46:2d:
        ce:8e:2d:04:2d:f4:4a:09:c3:51:a2:47:4f:6b:5b:4e:25:bf:
        91:e0:e0:77:ac:35:a7:73:67:fa:e6:54:85:25:13:43:c1:d1:
        5f:20:41:73:fd:28:1d:d8:2d:38:1d:82:1b:27:cf:bd:53:e1:
        cc:e4:50:e5:85:9b:19:d5:b7:ee:10:ea:ae:ac:1f:09:34:51:
        b0:f5:4b:e8:d7:b6:9b:c8:3a:a9:41:f0:d0:80:f3:58:d9:30:
        c2:d2:fe:e2:e5:2b:03:04:25:81:51:c4:7b:d0:7d:d2:9a:dd:
        70:97:29:39

asked 23 Aug '13, 19:35

x704
1111
accept rate: 0%


We have updated the certificates 2 days ago according to our internal change logs.

Try clearing your clients cached certificates or try another client such as Mozilla to see if the issue continues, if it does submit a support ticket and we can assist further.

permanent link

answered 23 Aug '13, 21:48

johns
5.4k312
accept rate: 23%

The error vanished by itself on smtp.webfaction.com, but now it's acting up on mail.webfaction.com. The issues shows up if I manually connect, so it's not a problem with my mail client:

openssl s_client -connect mail.webfaction.com:993

CONNECTED(00000003)
depth=0 serialNumber = 82UxCoGYcIQQvHoN/K3kqdcxfb/PwCEJ, OU = GT32045455, OU = See www.rapidssl.com/resources/cps (c)13, OU = Domain Control Validated - RapidSSL(R), CN = *.webfaction.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 serialNumber = 82UxCoGYcIQQvHoN/K3kqdcxfb/PwCEJ, OU = GT32045455, OU = See www.rapidssl.com/resources/cps (c)13, OU = Domain Control Validated - RapidSSL(R), CN = *.webfaction.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 serialNumber = 82UxCoGYcIQQvHoN/K3kqdcxfb/PwCEJ, OU = GT32045455, OU = See www.rapidssl.com/resources/cps (c)13, OU = Domain Control Validated - RapidSSL(R), CN = *.webfaction.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/serialNumber=82UxCoGYcIQQvHoN/K3kqdcxfb/PwCEJ/OU=GT32045455/OU=See www.rapidssl.com/resources/cps (c)13/OU=Domain Control Validated - RapidSSL(R)/CN=*.webfaction.com
   i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFNjCCBB6gAwIBAgIDDUipMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew
HhcNMTMwNzMwMTQzMTM3WhcNMTUxMTAyMDMyNjMyWjCBvzEpMCcGA1UEBRMgODJV
eENvR1ljSVFRdkhvTi9LM2txZGN4ZmIvUHdDRUoxEzARBgNVBAsTCkdUMzIwNDU0
NTUxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29tL3Jlc291cmNlcy9jcHMg
KGMpMTMxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZhbGlkYXRlZCAtIFJhcGlk
U1NMKFIpMRkwFwYDVQQDDBAqLndlYmZhY3Rpb24uY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAmtjgVfqhvvikwvhgqdph0erpraYEF3HIapNzcLk7
zA5GcljZqPc0wJBTxmdMAQBUq9iyBRfrCPqy51YqSIZiq2Dj9UOnuEScWMaU5oi/
b/RmtzR/l6TvgeQvzG8tjV62Rr+YEwc9uEEX2XCsDSoRl5UH8kQ04gLzReAwb+Is
0CsXRCXtit4tNCRMyvAVTxXJyn2nS92CU0AMHZ5FwR0ES0T9Hi6UaS/SRUu+v6a0
jltmZqZkM9QWkM55SYzWE4o8qlpY4db2YvXdvhBhf/OiABx/xjfX5jRkTaa4qsoh
sdhdbmizJ3iB/l9Lx2XHyO61jstWREZhuC6a31nOynGMWwIDAQABo4IBuzCCAbcw
HwYDVR0jBBgwFoAUa2k9ahhCSt2PAmU5/TUkhniRFjAwDgYDVR0PAQH/BAQDAgWg
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjArBgNVHREEJDAighAqLndl
YmZhY3Rpb24uY29tgg53ZWJmYWN0aW9uLmNvbTBDBgNVHR8EPDA6MDigNqA0hjJo
dHRwOi8vcmFwaWRzc2wtY3JsLmdlb3RydXN0LmNvbS9jcmxzL3JhcGlkc3NsLmNy
bDAdBgNVHQ4EFgQU5ULOgPWtmrZTyk7A/9PRvQieAdUwDAYDVR0TAQH/BAIwADB4
BggrBgEFBQcBAQRsMGowLQYIKwYBBQUHMAGGIWh0dHA6Ly9yYXBpZHNzbC1vY3Nw
Lmdlb3RydXN0LmNvbTA5BggrBgEFBQcwAoYtaHR0cDovL3JhcGlkc3NsLWFpYS5n
ZW90cnVzdC5jb20vcmFwaWRzc2wuY3J0MEwGA1UdIARFMEMwQQYKYIZIAYb4RQEH
NjAzMDEGCCsGAQUFBwIBFiVodHRwOi8vd3d3Lmdlb3RydXN0LmNvbS9yZXNvdXJj
ZXMvY3BzMA0GCSqGSIb3DQEBBQUAA4IBAQBkSsDrVu7JxIAGLrz9XaYXJuar4qKG
zE+Ykdna4fly/bbNIbgg76J07DEAtGSHTxWkXP54vaXjIJmEof5M7/XiNG8Mp9Uz
eSvMWRLF1x8AmGQ5H1cA8coyGF7M+H9w4kBVZBjrad5R4HX3ty0vx4tkE50o5XyX
WSaNzWZEsDxWK0oIIeLEZXPjNS8ILjYmRi3Oji0ELfRKCcNRokdPa1tOJb+R4OB3
rDWnc2f65lSFJRNDwdFfIEFz/Sgd2C04HYIbJ8+9U+HM5FDlhZsZ1bfuEOqurB8J
NFGw9Uvo17abyDqpQfDQgPNY2TDC0v7i5SsDBCWBUcR70H3Smt1wlyk5
-----END CERTIFICATE-----
subject=/serialNumber=82UxCoGYcIQQvHoN/K3kqdcxfb/PwCEJ/OU=GT32045455/OU=See www.rapidssl.com/resources/cps (c)13/OU=Domain Control Validated - RapidSSL(R)/CN=*.webfaction.com
issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
---
No client certificate CA names sent
---
SSL handshake has read 2037 bytes and written 409 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 70F0A451C6AE605D28150275F9B518CF0DB1CB56A073FE2B380C2FD967E5F8E9
    Session-ID-ctx: 
    Master-Key: 9CD4615954A32CBA976134B053CBDE14BF3E515C10594E4682FDD2DBC627B1BF182E32A306234257EC0326BEDFFCDDD8
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1377738586
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
* OK Dovecot ready.
(28 Aug '13, 20:28) x704

That message just means the server is not asking for client certificates, which is fine.

(29 Aug '13, 03:06) waynek

(Sorry, emphasis was added by the comment system, not me.) The problem appears to have gone away for now; it looks like the server is using the old certificate again. Shouldn't Dovecot include the intermediate certificate(s) in the certificate chain? Webfaction's Postfix SSL configuration is operating with the new certificates and sending them correctly.

(29 Aug '13, 04:58) x704

We're still working on upgrading the certificates to be consistent everywhere. Please wait about a week and let us know if you're still seeing this afterward.

(30 Aug '13, 00:11) ryans ♦♦

Sorry, it may be redundant to point out that Dovecot is back to not sending the certificate chain with the new cert. Would it work to concatenate the server certificate with the intermediates?

(02 Sep '13, 21:07) x704

That's not exactly the problem, for example you can see from this command that everything is working on the mailbox1.webfaction.com server:

openssl s_client -connect mailbox1.webfaction.com:993

but that it's not working on mailbox10.webfaction.com yet:

openssl s_client -connect mailbox10.webfaction.com:993

We have an internal ticket about this issue and we're working on it; it's not as simple as the certificate chain being concatenated or not.

(02 Sep '13, 21:13) ryans ♦♦
showing 5 of 6 show 1 more comments

I'm receiving the same error when I try to receive my webfaction email on gmail.

The gmail says:

"Tue, Sep 3, 2013 at 11:24 AM SSL Security Error. [ Help ] Server returned error "SSL error: unable to verify the first certificate""

permanent link

answered 03 Sep '13, 09:31

Joao Paulo L...
1
accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×261
×93
×42
×27

question asked: 23 Aug '13, 19:35

question was seen: 11,542 times

last updated: 03 Sep '13, 09:31

WEBFACTION
REACH US
SUPPORT
AFFILIATE PROGRAM
LEGAL
© COPYRIGHT 2003-2019 SWARMA LIMITED - WEBFACTION IS A SERVICE OF SWARMA LIMITED
REGISTERED IN ENGLAND AND WALES 5729350 - VAT REGISTRATION NUMBER 877397162
5TH FLOOR, THE OLD VINYL FACTORY, HAYES, UB3 1HA, UNITED KINGDOM