Comodo root certificate missing - what to do?

Matthias Petermann matthias at petermann-it.de
Fri Feb 13 11:02:44 UTC 2015 

Hello,

I try to update a dynamic DNS entry at EuroDNS using 
ddclient(EuroDynDNS). Ddclient is configured so that it accesses 
https://update.eurodyndns.org. When I open this URL in Firefox, the 
certificate is accepted.

The situation is different with ddclient or the openssl client. Both 
clients complain about the lack of local publisher certificate (see 
below).

The following findings from various forums I've checked:

* I use OpenSSL in base
* Ca_root_nss-3.17.4_1 from the ports installed
* Link from /etc/ssl/cert.pem exixtiert on 
/usr/local/share/certs/ca-root-nss.crt (manually created)

I have also tried the Comodo SSL certificates from
https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/979/108/domain-validation-sha-2
attach it to /etc/ssl/cert.pem.

None of this has brought an improvement. Where could the problem be?

Thanks in advance and best regards,
Matthias



root at bsdberry:/usr/local/share/certs # openssl s_client -CAfile 
/etc/ssl/cert.pem -connect update.eurodyndns.org:443
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, OU = COMODO SSL, CN = 
update.eurodyndns.org
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = COMODO SSL, CN = 
update.eurodyndns.org
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, OU = COMODO SSL, CN = 
update.eurodyndns.org
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
  0 s:/OU=Domain Control Validated/OU=COMODO SSL/CN=update.eurodyndns.org
    i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO 
SSL CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFCDCCA/CgAwIBAgIQWrYgr7Hn0XCbNU1k3bTIfjANBgkqhkiG9w0BAQUFADBw
MQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD
VQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDEWMBQGA1UE
AxMNQ09NT0RPIFNTTCBDQTAeFw0xNDA4MjIwMDAwMDBaFw0xNTA4MjkyMzU5NTla
MFgxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDETMBEGA1UECxMK
Q09NT0RPIFNTTDEeMBwGA1UEAxMVdXBkYXRlLmV1cm9keW5kbnMub3JnMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvpdpoTcpiA69SRoQHgpTgpnZ8hGQ
SG/ssUx7hYdpYv8zNiaLSxJoBNRzn2zKI/2783SHctFaX8HpjY1iEe1mCWV+XCNV
H+YM6wSo6QJ36VUwv/JmaMswPpwYJR+huUtFt2WSIlr/kknDvQ10N4NpqbaF+ryk
lXUm/L4kuf/3hJ4wehxLf/KTGtng1aISBk4MrlVI0R7vFvY9zfthTR97AQ24yggz
OHZnXPk0VcdTHPh8UPl1zvd2hKddmfXXxrkiVhxukgk+/o3i2DWVO3dD8ssS7c+i
tubFIXxnIZoOql+Y7koVwm1E4KCzrcpL0WEar5R5Pry01KDESkyickQiQwIDAQAB
o4IBtDCCAbAwHwYDVR0jBBgwFoAUG2u9H4pJGJRUN1W0IBftN7l3GH0wHQYDVR0O
BBYEFPVfl0OTHa0e4bVZ08XUnEh+R8iVMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMB
Af8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBG
MDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNv
bW9kby5jb20vQ1BTMAgGBmeBDAECATA4BgNVHR8EMTAvMC2gK6AphidodHRwOi8v
Y3JsLmNvbW9kb2NhLmNvbS9DT01PRE9TU0xDQS5jcmwwaQYIKwYBBQUHAQEEXTBb
MDMGCCsGAQUFBzAChidodHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9DT01PRE9TU0xD
QS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTA7BgNV
HREENDAyghV1cGRhdGUuZXVyb2R5bmRucy5vcmeCGXd3dy51cGRhdGUuZXVyb2R5
bmRucy5vcmcwDQYJKoZIhvcNAQEFBQADggEBAJlb7hOlIhfdQQP7EGo3lpwH7dYm
gVPL78bLN+Xe+TIuCvq8bewv9Tv7FuwLGOwVcZQ0mfadsE9mY2aixMhwCwmUhtUx
tF0ebRg616WF3p27rTksdLyvA9R+GUmwL4CawCOvyWSj5KwUS6gGuVgt+XCGiITQ
dUfCYIBs2w9bwBRNbRGIhlWrdJVnzIsxiGpLZBXXDe0WPGXEmOJcRZCNEU1ZdIPj
E6j+0R0z5JZHyMIsm1vuBOlohiTR/Em/kyT8N1boH0mGSa9oXlP32ip7p5KGSSht
FKheeoE4rTAn4SWvxdvvV2P5M+uDWOa2RSTMoYmNzvjVqfvMw15I1QByDTs=
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=COMODO 
SSL/CN=update.eurodyndns.org
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA 
Limited/CN=COMODO SSL CA
---
No client certificate CA names sent
---
SSL handshake has read 2009 bytes and written 521 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
     Protocol  : TLSv1.2
     Cipher    : DHE-RSA-AES128-SHA
     Session-ID: 
E0996764ACCDE112BAE4307B4A15255C33917699528F12FF31A94AE445C9C83C
     Session-ID-ctx:
     Master-Key: 
2AB611143A51C8D2967F630DA1DD4555BB065BDA7B12C12A6F78E70D7E9A8AE465DEBD3AD551F8E7BE6D4CB75F2597E1
     Key-Arg   : None
     PSK identity: None
     PSK identity hint: None
     SRP username: None
     Start Time: 1423827038
     Timeout   : 300 (sec)
     Verify return code: 21 (unable to verify the first certificate)
---

More information about the freebsd-questions mailing list