On Mon, 23 Dec 2019 09:31:08 +0100 Heiko Schlittermann via Exim-users
wrote:
> Christian Balzer <chibi@???> (Mo 23 Dez 2019 06:07:46 CET):
> > >
> > I've tried this with "openssl s_server" and it works either which way,
> > unsurprisingly.
> > "openssl s_server -cert wildcard.crt -key wildcard.key -CAfile ca.crt"
> >
> > I can't get gnutls_server to use/send the CA intermediate at all, only the
> > server cert is sent with:
> > "gnutls-serv --x509keyfile=wildcard.key
> > --x509cafile=ca.crt"
>
> I'd expect --x509cafile only useful for verification of client certificates.
> So I'd append the intermediate cert to the wildcard.crt file.
>
> How did you specify your intermediate cert file in your exim
> configuration?
>
The --x509certfile=wildcard.crt has both certs in it (server then
intermediate as always), it's the same that Exim consumes.
Note that "openssl s_server" didn't pick that 2nd cert up by itself
either, it needed the ca.crt hint to work.
And that little detail solved the problem, for reasons that are currently
beyond me the wildcard.crt (associated with the VIP) had a wrong
intermediate in it, the default ones (still same wildcard cert, but
different file) had the correct one and thus worked.
Now before I beat myself or whoever messed this up to a pulp, whatever
causes that wrong cert to be SILENTLY ignored and not sent to the other
side deserves a good deal of blame, too.
Same for the client(s) not complaining about this and just helpfully
filling in the blanks.
Case closed, thanks a bundle.
Christian
--
Christian Balzer Network/Systems Engineer
chibi@??? Rakuten Mobile Inc.