New problem in town . A server could not send e-mail using php . But can connect using telnet .
stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:#012error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Some error from php class.
Well it appear that there is no cert on server
php -r “print_r(openssl_get_cert_locations());”
Array
(
[default_cert_file] => /etc/pki/tls/cert.pem
[default_cert_file_env] => SSL_CERT_FILE
[default_cert_dir] => /etc/pki/tls/certs
[default_cert_dir_env] => SSL_CERT_DIR
[default_private_dir] => /etc/pki/tls/private
[default_default_cert_area] => /etc/pki/tls
[ini_cafile] =>
[ini_capath] =>
)
For me this file was not there
/etc/pki/tls/cert.pem
After I run
update-ca-trust
I have copy the file
/etc/pki/tls/certs/ca-bundle.crt to /etc/pki/tls/cert.pem and it worked .
UPDATE
Today facing same problem but more complicated. The cer.pem was there ..but mail was not sending . So how to debug it ?
Well first of all we need to see what root certificat is needed.
So I run
openssl s_client -crlf -connect mail.domain.com:465
depth=0 C = EN, CN = mail.domain.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = EN, CN = mail.domain.com
verify error:num=21:unable to verify the first certificate
verify return:1
….
…
subject=/C=EN/CN=mail.domain.com
issuer=/C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Class 1 DV Server CA
—
No client certificate CA names sent
From here we see that we need StartCom Class 1 DV Server CA
So I search on google and find it here
https://www.startssl.com/root
So I download the CA pem file into /etc/pki/ca-trust/source/anchors/
and after this run also
update-ca-trust extract
After this all was working fine.
More information can be found here
and here
http://kb.kerio.com/product/kerio-connect/server-configuration/ssl-certificates/adding-trusted-root-certificates-to-the-server-1605.html
