Certificate Verification Error 2 Unable To Get Issuer Certificate
Contents |
Start here for a quick overview of the site Help Center Detailed answers to any questions you might have Meta Discuss the workings and policies of this site About Us Learn more about Stack Overflow the company certificate verification error 20 unable to get local issuer certificate Business Learn more about hiring developers or posting ads with us Server Fault Questions Tags verify error num 20 unable to get local issuer certificate Users Badges Unanswered Ask Question _ Server Fault is a question and answer site for system and network administrators. Join them; it only
Error Unable To Get Issuer Certificate Getting Chain
takes a minute: Sign up Here's how it works: Anybody can ask a question Anybody can answer The best answers are voted up and rise to the top 'openssl verify' outputs 'unable to get local issuer certificate' up
Error Unable To Get Issuer Certificate Getting Chain Pkcs12
vote 0 down vote favorite In /etc/ssl, when I do sudo openssl verify mywebsite.pem I get a message stating mywebsite.pem: OU = GT46830179, OU = See www.rapidssl.com/resources/cps (c)15, OU = Domain Control Validated - RapidSSL(R), CN = *.logitapp.com error 20 at 0 depth lookup:unable to get local issuer certificate I created mywebsite.key by copying from sslpoint's certificate generator into nano. I created mywebsite.pem by running sudo cat mywebsite.crt sslpointintermediate.crt >> mywebsite.pem . Created mywebsite.crt and verify error:num=20:unable to get local issuer certificate sslpointintermediate.crt by pasting into nano from the email sslpoint sent me. mywebsite.pem and mywebsite.key aren't actually the names of the files. Using Debian 8. Trying to get nginx and gunicorn working with ssl. Having problems with that and I think it's (at least partially) because the ssl certificates somehow aren't installed correctly, as indicated by the above output. How can I resolve this? EDIT: In a previous version of this question I was also asking about 'openssl verify'ing the .key file. I've removed that part of the question as there's no point in trying that. debian ssl-certificate installation certificate openssl share|improve this question edited Sep 5 '15 at 9:05 asked Sep 5 '15 at 6:27 Daniel 149124 add a comment| 3 Answers 3 active oldest votes up vote 3 down vote If you want to use openssl verify, you should instead use: openssl verify -CAfile your-intermediates-and-final.pem mywebsite.crt with your-intermediates-and-final.pem with all intermediate and final (trusted anchor) concatenated inside, in PEM format. If you want to use the -CApath /etc/ssl/certs option, each intermediate certificate must be in the /etc/ssl/certs directory and you must execute as root: $ c_rehash The key only contains the private key and no certificate, so there is no point in "openssl verify"ing it. nginx seems to be correctly configured. Verify the permissions are correct and you have the two following config para
here for a quick overview of the site Help Center Detailed answers to any questions you might have Meta Discuss the workings and policies of
Error 20 At 0 Depth Lookup:unable To Get Local Issuer Certificate
this site About Us Learn more about Stack Overflow the company Business unable to get issuer certificate openssl Learn more about hiring developers or posting ads with us Stack Overflow Questions Jobs Documentation Tags Users Badges Ask unable to get local issuer certificate git Question x Dismiss Join the Stack Overflow Community Stack Overflow is a community of 4.7 million programmers, just like you, helping each other. Join them; it only takes a minute: Sign http://serverfault.com/questions/720250/openssl-verify-outputs-unable-to-get-local-issuer-certificate up SSL Error: unable to get local issuer certificate up vote 29 down vote favorite 8 I'm having trouble configuring SSL on a Debian 6.0 32bit server. I'm relatively new with SSL so please bear with me. I'm including as much information as I can. Note: The true domain name has been changed to protect the identity and integrity of the server. Configuration http://stackoverflow.com/questions/24372942/ssl-error-unable-to-get-local-issuer-certificate The server is running using nginx. It is configured as follows: ssl_certificate /usr/local/nginx/priv/mysite.ca.chained.crt; ssl_certificate_key /usr/local/nginx/priv/mysite.ca.key; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; ssl_verify_depth 2; I chained my certificate using the method described here cat mysite.ca.crt bundle.crt > mysite.ca.chained.crt where mysite.ca.crt is the certificate given to me by the signing authority, and the bundle.crt is the CA certificate also sent to me by my signing authority. The problem is that I did not purchase the SSL certificate directly from GlobalSign, but instead through my hosting provider, Singlehop. Testing The certificate validates properly on Safari and Chrome, but not on Firefox. Initial searching revealed that it may be a problem with the CA. I explored the answer to a similar question, but was unable to find a solution, as I don't really understand what purpose each certificate serves. I used openssl's s_client to test the connection, and received output which seems to indicate the same problem as the similar question. The error is as follows: depth=0 /OU=Domain Control Validated/CN=*.mysite.ca verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /OU=Domain Control Validated/CN=*.mysite.ca verify error:num=27:certificate not trusted verify return
Go - Fighting in Prime Time Go [ July 28, 2016 ] Microservices Gone Wild - Tech Dive Part 4 Go [ July 25, 2016 ] Microservices Gone Wild http://movingpackets.net/2015/03/18/telling-openssl-about-your-root-certificates/ – Tech Dive Part 3 Go Search for: HomeNetworkingTelling OpenSSL About Your Root http://thenubbyadmin.com/2015/02/19/fixing-unable-to-get-local-issuer-certificate-and-certificate-verify-failed-in-syslog-ng/ Certificates Telling OpenSSL About Your Root Certificates March 18, 2015 John Herbert Networking, Software 4 OpenSSL doesn’t come with its own trusted root certificates; you have to tell it where to find them. This should be straightforward - and it is - but Apple have found a way to make it trickier.Normal unable to *nix SystemsOn a normal unix system, openssl is pretty good at locating the root certificates, but it still doesn’t automatically reference them. For example running Ubuntu: john@ubuntu:~$ openssl s_client -connect www.microsoft.com:443 CONNECTED(00000003) depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification unable to get Authority - G5 verify error:num=20:unable to get local issuer certificate verify return:0 [...removed for brevity...] PSK identity hint: None SRP username: None Start Time: 1425842365 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) --- 123456789101112131415john@ubuntu:~$ openssl s_client -connect www.microsoft.com:443CONNECTED(00000003)depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network,OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN =VeriSign Class 3 Public Primary Certification Authority - G5verify error:num=20:unable to get local issuer certificateverify return:0[...removed for brevity...]PSK identity hint: NoneSRP username: NoneStart Time: 1425842365Timeout : 300 (sec)Verify return code: 20 (unable to get local issuer certificate)---Openssl is unable to validate the Verisign certificate. So where are the trusted root certificates stored? Actually, Openssl will tell us: john@ubuntu:~$ openssl version -d OPENSSLDIR: "/usr/lib/ssl" 123john@ubuntu:~$ openssl version -dOPENSSLDIR: "/usr/lib/ssl"Add that into the command as the -CApath parameter, and: john@ubuntu:~$ openssl s_client -CApath /usr/lib/ssl -connect www.microsoft.com:443 CONNECTED(00000003) depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority verify return:1 depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc.
views 1 My Problem On a Linux host, attempting to set up syslog-ng shipping to an offsite collector over TLS results in errors such as: Feb 18 16:42:33 my.amazingserver.tld syslog-ng[987]: SSL error while writing stream; tls_error='SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed' Feb 18 16:42:33 my.amazingserver.tld syslog-ng[987]: I/O error occurred while writing; fd='21', error='Broken pipe (32)' Feb 18 16:42:33 my.amazingserver.tld syslog-ng[987]: I/O error occurred while writing; fd='21', error='Broken pipe (32)' Feb 18 16:42:33 my.amazingserver.tld syslog-ng[987]: Syslog connection broken; fd='21', server='AF_INET(1.1.1.1:443)', time_reopen='60' Feb 18 16:43:33 my.amazingserver.tld syslog-ng[987]: Syslog connection established; fd='21', server='AF_INET(1.1.1.1:443)', local='AF_INET(0.0.0.0:0)' Feb 18 16:43:33 my.amazingserver.tld syslog-ng[987]: Certificate validation failed; subject='CN=GeoTrust DV SSL CA - G4, OU=Domain Validated SSL, O=GeoTrust Inc., C=US', issuer='CN=GeoTrust Global CA, O=GeoTrust Inc., C=US', error='unable to get local issuer certificate', depth='1' Feb 18 16:34:31 my.amazinghost.com syslog-ng[987]: Certificate validation failed; subject='CN=GeoTrust DV SSL CA - G4, OU=Domain Validated SSL, O=GeoTrust Inc., C=US', issuer='CN=GeoTrust Global CA, O=GeoTrust Inc., C=US', error='unable to get local issuer certificate', depth='1' As well as SSL error while writing stream; tls_error='SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed' Running openssl s_client -connect my.syslog.endpoint.tld:443 gets, after the certificate chain, the following error: Verify return code: 20 (unable to get local issuer certificate) My Solution Find the CA certificate that is missing as indicated by the error message in the logs (in my case it was the GeoTrust Global CA certificate). Then follow the procedure for configuring the syslog-ng client for TLS. The Long Story The first clue to the problem is in the error message: Feb 18 16:34:31 my.amazinghost.com syslog-ng[987]: Certificate validation failed; subject='CN=GeoTrust DV SSL CA - G4, OU=Domain Validated SSL, O=GeoTrust Inc., C=US', issuer='CN=GeoTrust Global CA, O=GeoTrust Inc., C=US', error='unable to get local issuer certificate', depth='1' The connection was being thwarted by not trusting "GeoTrust DV SSL CA - G4" specifically. If you go to GeoTrust's website and look for their various root certificates, you'll notice that there are a