Jump to content
Sid D

TIdServerIOHandlerSSLOpenSSL root certficate error

Recommended Posts

Hi - I am getting the following error for TIdServerIOHandlerSSLOpenSSL when starting the Windows Service. Running the app as stand-alone server does not throw the error. The error is thrown only when starting this Windows Service.

 Could not load root certificate. error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib

 

The Delphi version used is Delphi 10.1 update 1 and Indy version is 10.6.2.5341. The root file is in pem format.

 

What can be the reason here?

 

Thanks

Sid

 

Share this post


Link to post

How are you configuring the SSLIOHandler? Does the Windows service have permission to access the certificate file?

Share this post


Link to post

It is resolved. It was not locating the file in the Service folder. The resolution was to get the complete folder name at run time (Service start) where this PEM file resides and assign it to the RootCert property.

 

Thanks

 

  • Thanks 1

Share this post


Link to post

Hi Remy,

 

I have one other question. 

 

CertFile, KeyFile and RootCertFile (intermediate certificate) are assigned to the TIdServerIOHandlerSSLOpenSSL component. We are running a PCI Scan on the Server and getting the following errors :

 

 

Informative Details: depth=0 CN = *.XXXXX.com

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0 CN = *.XXXXX.com

verify error:num=27:certificate not trusted

verify return:1

depth=0 CN = *.XXXXX.com

verify error:num=21:unable to verify the first certificate

verify return:1 Serial: 3189977664522596489 (0x2c4513c8df4cb089)

 

What could be the reason for these errors?

 

Thanks

Sid

Share this post


Link to post

A PCI scan will be for a public server, so why are you hiding the public host name?  

 

SSLLabs rates SSL sites and offers extensive advice about certificate errors, server misconfiguration and chain errors. 

 

The error you describe sound like the certificate is issued by an untrusted CA, but no-one can tell without seeing it. 

 

Angus

 

Share this post


Link to post

I just hid the name here. It is a proper name in the subject otherwise.

 

The Certificate is issued by GoDaddy and works fine with IIS.

 

Looks like something to do with TIdServerIOHandlerSSLOpenSSL component?

 

Thanks

 

 

Share this post


Link to post
1 hour ago, Sid D said:

What could be the reason for these errors?

I can't answer that.  I have very little experience working with certificates.

Share this post


Link to post
29 minutes ago, Sid D said:

Looks like something to do with TIdServerIOHandlerSSLOpenSSL component?

Highly unlikely, it will be the way you have configured the component, probably the wrong certificates or protocols, but no-one can guess what you have done wrong. 

 

Ssllabs will keep the host secret if you tick the correct box, and will almost certainly give you clues. 

 

Angus

 

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×