[Operators] IM Observatory: Not recognising DigiCert root certificate

Peter Saint-Andre stpeter at stpeter.im
Thu Oct 31 02:02:53 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rob Norris! I was thinking about you just the other day while walking
around the streets of Portland, Oregon. :-)

On 10/30/2013 07:44 PM, Robert Norris wrote:
> Just learned about the IM Observatory, cute idea. Of course I ran
> our server through it:
> 
> http://xmpp.net/result.php?domain=fastmail.fm&type=client
> 
> It has some good advice, which I'm now working through.

That's the idea.

> I think the "Intermediate certificate was not included in the
> chain" error might be bogus though. Its choking on the apparent
> lack of the "DigiCert High Assurance EV Root CA" cert, however this
> is a cert normally included and trusted by browsers and clients
> alike.
> 
> Consider:
> 
> http://www.digicert.com/help/?host=chat.messagingengine.com%3A5223
> 
> No errors. Which I'd expect, considering the same keychain is used
> on all of our services.
> 
> So is the tester subtly broken, or am I subtly misconfigured?

I'm trying with the OpenSSL s_client...

openssl s_client -connect chat.messagingengine.com:5223 -CAfile
DigiCertHighAssuranceECRootCA.crt

The result I get is:

"Verify return code: 20 (unable to get local issuer certificate)"

Peter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJScbpNAAoJEOoGpJErxa2pw/gP/3BzFvxQMJMnniWYWDq0tJd7
nfPYgfG44EDxa0y+WGfZUPMPCUEvcFMhp9mxxNRP90VtH4WCwdnoDwCD20gVv8ce
dOWdzgX/svF2pglVnUBNoW6xART8uOns4rN902n8+sdM2HVhscsqwZLJb4XpXFej
TQDrrfaCtuPvO0st/+FTjHSl1WPtX19TulbPOUGunX3NOsQ219knWPdSh2D1myxF
YbsiSCQweJdHCBJSr9bRNOUQQINjRDyBS8k6hbuzZfnnx65SqDjrD69qHwuc64dq
lNg4gRjbIPJAXDlPxi6mR8vI/3LwV7VCieyyRXgAmW7KUMIG+TtndC4d0K/0GrC3
Qc+51REVq6H5JWrt0L6KNUSOG5M7DsvJQDxUmoFc+tDH2d9p14t8mNTgx8CNi1fn
fCNf0G17jFkHcrgh4cn0rk1d8jXA9lFmAsRvqVonL263FqV+OQp8S+IetdGPsbnw
t+Yz3wZKmCNjPIrcmh+HlplK49EVlosS5Ngd+SkG1opPOh1FRAWUvHvnQYRSLp95
5w3MCP0g4KhaJPAoABTcLaaz25p/X5DbH4s0C6dqX9rVpyPbGhmrl55SI0pQxCCY
Bxp4BNpKuCrsqkKYh7cWsMbF9v1CkfZWz7L+V608dzgpUbwHg9d1iMDDnZ1qBF8a
cNrlELQh3mV7cdIZz3zY
=oL6r
-----END PGP SIGNATURE-----


More information about the Operators mailing list