certificate verification error 2 unable to get issuer certificate apache
Start here for a quick overview of the site Help Center Detailed answers to any questions you might have Meta Discuss the workings and policies of this site About Us
Verify Error Num 20 Unable To Get Local Issuer CertificateLearn more about Stack Overflow the company Business Learn more about hiring developers error unable to get issuer certificate getting chain or posting ads with us Server Fault Questions Tags Users Badges Unanswered Ask Question _ Server Fault is a question error unable to get issuer certificate getting chain pkcs12 and answer site for system and network administrators. Join them; it only takes a minute: Sign up Here's how it works: Anybody can ask a question Anybody can answer The best answers are voted
Unable To Get Issuer Certificate Opensslup and rise to the top SSL user authentication not working in Apache up vote 4 down vote favorite I'm facing a problem with authenticating clients through their ssl certificates which seems similar to a lot of problems I found throughout the net - unfortunately to no solution. Setup is: apache 2.2, mod_ssl, openssl on Debian linux. I have a client using a Globalsign PersonalSign certificate to authenticate.
Lookup Unable To Get Local Issuer CertificateI have setup SSLCACertificatePath I think correctly since apache debug tells me: [Thu May 10 15:31:35 2012] [debug] ssl_engine_init.c(1196): CA certificate: /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA [Thu May 10 15:31:35 2012] [debug] ssl_engine_init.c(1196): CA certificate: /C=BE/O=GlobalSign nv-sa/CN=GlobalSign PersonalSign 1 CA - G2 [Thu May 10 15:31:35 2012] [debug] ssl_engine_init.c(1196): CA certificate: /C=BE/O=GlobalSign nv-sa/CN=GlobalSign PersonalSign 1 CA - G2 [Thu May 10 15:31:35 2012] [debug] ssl_engine_init.c(1196): CA certificate: /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA I don't know why both certificates are twice in this list. Hashes are symlinked correctly via c_rehash utility. Now the client authenticates (I copy the what I think are relevant entries from the debug log): Certificate Verification: depth: 1, subject: /C=BE/O=GlobalSign nv-sa/CN=GlobalSign PersonalSign 1 CA - G2, issuer: /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA Certificate Verification: Error (20): unable to get local issuer certificate OpenSSL: Write: SSLv3 read client certificate B OpenSSL: Exit: error in SSLv3 read client certificate B Re-negotiation handshake failed: Not accepted by client!? which to my limited understanding means he is failing to get the issuer certificate for the intermediate GlobalSign PersonalSign 1 CA - G2 certificate. In fact the issuer_hash of this certificate matches the hash of the GlobalSign Root CA which is indeed
here for a quick overview of the site Help Center Detailed answers to any questions you might have Meta Discuss the workings and openssl s_client unable to get local issuer certificate policies of this site About Us Learn more about Stack Overflow the
Unable To Get Local Issuer Certificate Opensslcompany Business Learn more about hiring developers or posting ads with us Stack Overflow Questions Jobs Documentation Tags Users unable to get local issuer certificate curl Badges Ask Question x Dismiss Join the Stack Overflow Community Stack Overflow is a community of 4.7 million programmers, just like you, helping each other. Join them; it only takes http://serverfault.com/questions/387921/ssl-user-authentication-not-working-in-apache a minute: Sign up openssl unable to get local issuer certificate debian up vote 2 down vote favorite 3 I can not verify the certificate by openssl openssl verify cert.pem Gets something like this: cert.pem: / C = PL / O = DATA error 20 at 0 depth lookup: unable to get local issuer certificate The same cert from the machine http://stackoverflow.com/questions/26260445/openssl-unable-to-get-local-issuer-certificate-debian on Centos - verified correctly. Debian: squeeze / sid Is it a problem with the CA ROOT? Update openssl help? apache ssl openssl ssl-certificate share|improve this question asked Oct 8 '14 at 15:13 0chi0 11112 add a comment| 3 Answers 3 active oldest votes up vote 6 down vote You need to specify the CA cert in order to verify the issued cert since it's obviously not included in the pem (though this would be possible): openssl verify -CAfile your_ca_cert_file cert.pem If you do not get the error on centOS then there's the CA cert around and openssl can use it to successfully verify cert.pem share|improve this answer answered Oct 9 '14 at 10:02 Vincent Falk 1,396413 Thx for replay. If I understood: - From the Debian done command: openssl verify -CAfile ca-bundle.crt cert.pem where: - Ca-bundle.crt - ROOT CA of the certificate issuer (Unizeto / Certum - Poland) - Cert.pem - certificate obtained from the issuer (Unizeto / Certum - Poland) The result - test performed on a Debian system: openssl verify -CAfile bundle.crt ca-cert.pem cert.pem: OK openssl veri
SSL Certificate Errors in Apache November 15, 2012 Defining the Problem I encountered a peculiar problem with my signed SSL certificates the other day. In the latest versions of Firefox and Chrome, the SSL certificate was being trusted and worked just fine. However, in Chrome https://degreesofzero.com/article/how-to-fix-missing-intermediate-ssl-certificate-errors-in-apache.html in iPad (and likely other browsers with similarly limited capabilities), the certificate was deemed "untrusted." I ran an SSL Test on the domain with which I was having the problem. This yielded a bit of very useful information:Chain issues IncompleteThis gave me what I needed to further debug the problem. I discovered that I needed to have the server send a Certificate Chain with the initial SSL hand shake in order for unable to browsers that do not support "certificate discovery" to find the root certificate.For additional information, see:Intermediate Certificate AuthoritiesFixing the ProblemFirst, you will need to search your CA's website to download their Intermediate CA file. This file will contain the concatenated chain of trusted CA certificates needed to reach the root certificate. Once you find and download the chain file, you will need to upload it to your server. Here's a list of unable to get Intermediate CA files for different Certificate Authorities:RapidSSLFor simplicity's sake, you will probably want to put the file in the same directory as your signed SSL certificate. Now you will need to configure your virtual host to send this chain file in its initial response for a hand shake.If you're using the default virtual host for port 443, edit the following line:#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crtUncomment the line and have it reference the path to the chain file you just uploaded to the server:SSLCACertificateFile /etc/apache2/path/to/chain/fileRestart Apache.Is the Problem Fixed?Run the SSL Test again. If all is well, the chain issue should be resolved. If not, you can further debug the problem by using the following command in a terminal window on your personal computer (not on the server with the SSL issue):openssl s_client -showcerts -verify 32 -connect domain-name:443You will need to have openssl installed to run this commandBe sure to replace domain-name with the domain that is having the SSL issueThe output of this command is quite dense and can be difficult to sort through. You will want to first find the top of the output, and then search for something like this:verify error:num=20:unable to get local issuer certificate If you find a mistake in the article above, you can email me at chill [at] degreesofzero.com. O