Gandi.net SSL Standard Certificate Install Problems

rockman · January 13, 2015, 1:33am

I used the CSR from mail-in-a-box admin to get a Gandi.net standard SSL cert. Upon installing the SSL cert in the Mail-in-a-boc admin, I receive the following error:

“The certificate is missing an intermediate chain or the intermediate
chain is incorrect or incomplete. (/tmp/tmpdpjeakv6.pem: OU = Domain
Control Validated, OU = Gandi Standard SSL, CN = box.mydomain.net
error 20 at 0 depth lookup:unable to get local issuer certificate)”

I have also attemtped to add the intermediate cert in the admin UI, but get the same error. Please advise.

rockman · January 13, 2015, 3:28am

I successfully created and used an SSL cert from StartSSL.

Gandi.net was too much of a pain to deal with for now. I am primarily testing Mail-in-a-box for being a one-click, idiot-proof email server solution.

So far, so good when you get the right combination of things sorted out, and you use the recommendations given on the admin pages.

Thanks Josh.

hayta · February 20, 2015, 9:03pm

Have to use UserTrust pem; problem solved.
http://wiki.gandi.net/en/ssl/intermediate

rockman · February 20, 2015, 9:23pm

Yea, so that’s still not helpful. I’ve read that page up and down. Left and right. Bollocks. I moved on to a StartSSL cert. It just works.

robsco · March 1, 2015, 7:43pm

For anyone who has had issues setting up the Gandi SSL certificates, this worked for me:

Input into the SSL intermediate chain (if provided):
This certificate on top.

This certificate below:
The one after You may download the certificate in DER format at the following address: http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt or recover it from the PEM format below:on this page.
For clarity; you want the PEM format.

crc32 · May 25, 2015, 6:17am

I had the same problem with a StartSSL certificate. I downloaded the intermediate certificate from here

PortableTech · May 25, 2015, 1:18pm

I use the StartSSL wildcard certs and they seem to work great with MiaB. I liked the setup so much I decided to upgrade to the personal validation.

In regards to StartSSL to, I did not use the CSR provided by MiaB so I could make a stronger certificate than the CSR requested. This did however require me to manually go and replace the private certificate on the server. No big deal, just something to keep in mind. I did not like how Chrome was complaining about it being a weak certificate when I used the MiaB CSR thus leading me down this path.

JoshData · May 25, 2015, 2:01pm

When did you first set up your box? Any box created recently should be providing SHA2 CSRs, which should fix that problem.

PortableTech · May 25, 2015, 2:24pm

It was under the previous version, about 6 weeks ago or so. I have since moved onto the current version and did not even think to look. I just made my own as I wanted the better cert.

JoshData · May 25, 2015, 2:36pm

Hmm. The change was longer than six weeks ago. Maybe there’s a bug.

PortableTech · May 25, 2015, 2:40pm

I was on 0.08 when I created the initial certificate if that helps.

Panther · May 26, 2015, 7:15pm

Yeah, I also had an issue installing certificates from any SSL provider. What I did was manually install the certificate into the box in /home/user-www