Sid D 4 Posted January 26, 2023 Hi - I am getting the following error for TIdServerIOHandlerSSLOpenSSL when starting the Windows Service. Running the app as stand-alone server does not throw the error. The error is thrown only when starting this Windows Service. Could not load root certificate. error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib The Delphi version used is Delphi 10.1 update 1 and Indy version is 10.6.2.5341. The root file is in pem format. What can be the reason here? Thanks Sid Share this post Link to post
Remy Lebeau 1394 Posted January 27, 2023 How are you configuring the SSLIOHandler? Does the Windows service have permission to access the certificate file? Share this post Link to post
Sid D 4 Posted January 27, 2023 It is resolved. It was not locating the file in the Service folder. The resolution was to get the complete folder name at run time (Service start) where this PEM file resides and assign it to the RootCert property. Thanks 1 Share this post Link to post
Sid D 4 Posted January 30, 2023 Hi Remy, I have one other question. CertFile, KeyFile and RootCertFile (intermediate certificate) are assigned to the TIdServerIOHandlerSSLOpenSSL component. We are running a PCI Scan on the Server and getting the following errors : Informative Details: depth=0 CN = *.XXXXX.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = *.XXXXX.com verify error:num=27:certificate not trusted verify return:1 depth=0 CN = *.XXXXX.com verify error:num=21:unable to verify the first certificate verify return:1 Serial: 3189977664522596489 (0x2c4513c8df4cb089) What could be the reason for these errors? Thanks Sid Share this post Link to post
Angus Robertson 574 Posted January 30, 2023 A PCI scan will be for a public server, so why are you hiding the public host name? SSLLabs rates SSL sites and offers extensive advice about certificate errors, server misconfiguration and chain errors. The error you describe sound like the certificate is issued by an untrusted CA, but no-one can tell without seeing it. Angus Share this post Link to post
Sid D 4 Posted January 30, 2023 I just hid the name here. It is a proper name in the subject otherwise. The Certificate is issued by GoDaddy and works fine with IIS. Looks like something to do with TIdServerIOHandlerSSLOpenSSL component? Thanks Share this post Link to post
Remy Lebeau 1394 Posted January 30, 2023 1 hour ago, Sid D said: What could be the reason for these errors? I can't answer that. I have very little experience working with certificates. Share this post Link to post
Angus Robertson 574 Posted January 30, 2023 29 minutes ago, Sid D said: Looks like something to do with TIdServerIOHandlerSSLOpenSSL component? Highly unlikely, it will be the way you have configured the component, probably the wrong certificates or protocols, but no-one can guess what you have done wrong. Ssllabs will keep the host secret if you tick the correct box, and will almost certainly give you clues. Angus Share this post Link to post