Error 20 Unable To Get Local Issuer Certificate Apache
Contents |
here for a quick overview of the site Help Center Detailed answers to any questions you might have Meta Discuss the workings and policies of this site About Us Learn more about Stack Overflow the company Business Learn verify error num 20 unable to get local issuer certificate more about hiring developers or posting ads with us Stack Overflow Questions Jobs Documentation Tags error 20 at 0 depth lookup:unable to get local issuer certificate Users Badges Ask Question x Dismiss Join the Stack Overflow Community Stack Overflow is a community of 4.7 million programmers, just like you, verify error:num=20:unable to get local issuer certificate helping each other. Join them; it only takes a minute: Sign up openssl unable to get local issuer certificate debian up vote 2 down vote favorite 3 I can not verify the certificate by openssl openssl verify cert.pem verify return code: 20 (unable to get local issuer certificate) Gets something like this: cert.pem: / C = PL / O = DATA error 20 at 0 depth lookup: unable to get local issuer certificate The same cert from the machine on Centos - verified correctly. Debian: squeeze / sid Is it a problem with the CA ROOT? Update openssl help? apache ssl openssl ssl-certificate share|improve this question asked Oct 8 '14 at 15:13 0chi0 11112 add a comment| 3 Answers 3 active oldest votes up vote
Unable To Get Local Issuer Certificate Git
6 down vote You need to specify the CA cert in order to verify the issued cert since it's obviously not included in the pem (though this would be possible): openssl verify -CAfile your_ca_cert_file cert.pem If you do not get the error on centOS then there's the CA cert around and openssl can use it to successfully verify cert.pem share|improve this answer answered Oct 9 '14 at 10:02 Vincent Falk 1,396413 Thx for replay. If I understood: - From the Debian done command: openssl verify -CAfile ca-bundle.crt cert.pem where: - Ca-bundle.crt - ROOT CA of the certificate issuer (Unizeto / Certum - Poland) - Cert.pem - certificate obtained from the issuer (Unizeto / Certum - Poland) The result - test performed on a Debian system: openssl verify -CAfile bundle.crt ca-cert.pem cert.pem: OK openssl verify cert.pem cert.pem: / C = PL / O = data... error 20 at 0 depth lookup: unable to get local issuer certificate How to do that without indicating ca-bundle.crt - my certificate has a status of OK? –0chi0 Oct 9 '14 at 19:38 You can also set and export the environment variables SSL_CERT_FILE or SSL_CERT_DIR... export SSL_CERT_FILE=/path/to/ca_bundle.crt or export SSL_CERT_DIR=/path/to/ca/dir Then you do not have to specify CAfile or CApath in every openssl command. –lm713 Aug 31 '15 at 13:06 add a comment| up vote 2 down vote Unlike
here for a quick overview of the site Help Center Detailed answers to any questions you might have Meta Discuss the workings and policies of this site About Us Learn more
Unable To Get Local Issuer Certificate Openssl
about Stack Overflow the company Business Learn more about hiring developers or posting curl unable to get local issuer certificate ads with us Stack Overflow Questions Jobs Documentation Tags Users Badges Ask Question x Dismiss Join the Stack Overflow Community Stack unable to get local issuer certificate openvpn Overflow is a community of 4.7 million programmers, just like you, helping each other. Join them; it only takes a minute: Sign up Certificate Verification: Error (20): unable to get local issuer certificate - http://stackoverflow.com/questions/26260445/openssl-unable-to-get-local-issuer-certificate-debian Chrome on Apple OSX up vote 0 down vote favorite We have installed an Apache Debain Wheezy HTTPS server using a certificate chain that looks like: AddTrust External CA Root -> PositiveSSL CA 2 -> ourdomain.com The SSL part of the Apache configuration file looks like: SSLEngine On SSLCertificateFile /etc/apache2/ssl/ourdomain.crt SSLCertificateKeyFile /etc/apache2/ssl/ourdomain.key SSLCertificateChainFile /etc/apache2/ssl/AddTrustExternalCARoot.crt SSLCertificateChainFile /etc/apache2/ssl/PositiveSSLCA2.crt SSLVerifyClient optional SSLVerifyDepth 2 SSLOptions +StdEnvVars +StrictRequire
views 1 My Problem On a Linux host, attempting to set up syslog-ng shipping to an offsite collector over TLS results in errors such http://thenubbyadmin.com/2015/02/19/fixing-unable-to-get-local-issuer-certificate-and-certificate-verify-failed-in-syslog-ng/ as: Feb 18 16:42:33 my.amazingserver.tld syslog-ng[987]: SSL error while writing stream; tls_error='SSL https://degreesofzero.com/article/how-to-fix-missing-intermediate-ssl-certificate-errors-in-apache.html routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed' Feb 18 16:42:33 my.amazingserver.tld syslog-ng[987]: I/O error occurred while writing; fd='21', error='Broken pipe (32)' Feb 18 16:42:33 my.amazingserver.tld syslog-ng[987]: I/O error occurred while writing; fd='21', error='Broken pipe (32)' Feb 18 16:42:33 my.amazingserver.tld syslog-ng[987]: Syslog connection broken; fd='21', server='AF_INET(1.1.1.1:443)', time_reopen='60' Feb 18 16:43:33 my.amazingserver.tld syslog-ng[987]: Syslog connection unable to established; fd='21', server='AF_INET(1.1.1.1:443)', local='AF_INET(0.0.0.0:0)' Feb 18 16:43:33 my.amazingserver.tld syslog-ng[987]: Certificate validation failed; subject='CN=GeoTrust DV SSL CA - G4, OU=Domain Validated SSL, O=GeoTrust Inc., C=US', issuer='CN=GeoTrust Global CA, O=GeoTrust Inc., C=US', error='unable to get local issuer certificate', depth='1' Feb 18 16:34:31 my.amazinghost.com syslog-ng[987]: Certificate validation failed; subject='CN=GeoTrust DV SSL CA - G4, OU=Domain Validated SSL, O=GeoTrust Inc., C=US', issuer='CN=GeoTrust Global CA, O=GeoTrust unable to get Inc., C=US', error='unable to get local issuer certificate', depth='1' As well as SSL error while writing stream; tls_error='SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed' Running openssl s_client -connect my.syslog.endpoint.tld:443 gets, after the certificate chain, the following error: Verify return code: 20 (unable to get local issuer certificate) My Solution Find the CA certificate that is missing as indicated by the error message in the logs (in my case it was the GeoTrust Global CA certificate). Then follow the procedure for configuring the syslog-ng client for TLS. The Long Story The first clue to the problem is in the error message: Feb 18 16:34:31 my.amazinghost.com syslog-ng[987]: Certificate validation failed; subject='CN=GeoTrust DV SSL CA - G4, OU=Domain Validated SSL, O=GeoTrust Inc., C=US', issuer='CN=GeoTrust Global CA, O=GeoTrust Inc., C=US', error='unable to get local issuer certificate', depth='1' The connection was being thwarted by not trusting "GeoTrust DV SSL CA - G4" specifically. If you go to GeoTrust's website and look for their various root certificates, you'll notice that there are a lot to look through. I copied the root certificate into a temporary file on the server named geotrust.test.ca.cer. I then ran the sam
SSL Certificate Errors in Apache November 15, 2012 Defining the Problem I encountered a peculiar problem with my signed SSL certificates the other day. In the latest versions of Firefox and Chrome, the SSL certificate was being trusted and worked just fine. However, in Chrome in iPad (and likely other browsers with similarly limited capabilities), the certificate was deemed "untrusted." I ran an SSL Test on the domain with which I was having the problem. This yielded a bit of very useful information:Chain issues IncompleteThis gave me what I needed to further debug the problem. I discovered that I needed to have the server send a Certificate Chain with the initial SSL hand shake in order for browsers that do not support "certificate discovery" to find the root certificate.For additional information, see:Intermediate Certificate AuthoritiesFixing the ProblemFirst, you will need to search your CA's website to download their Intermediate CA file. This file will contain the concatenated chain of trusted CA certificates needed to reach the root certificate. Once you find and download the chain file, you will need to upload it to your server. Here's a list of Intermediate CA files for different Certificate Authorities:RapidSSLFor simplicity's sake, you will probably want to put the file in the same directory as your signed SSL certificate. Now you will need to configure your virtual host to send this chain file in its initial response for a hand shake.If you're using the default virtual host for port 443, edit the following line:#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crtUncomment the line and have it reference the path to the chain file you just uploaded to the server:SSLCACertificateFile /etc/apache2/path/to/chain/fileRestart Apache.Is the Problem Fixed?Run the SSL Test again. If all is well, the chain issue should be resolved. If not, you can further debug the problem by using the following command in a terminal window on your personal computer (not on the server with the SSL issue):openssl s_client -showcerts -verify 32 -connect domain-name:443You will need to have openssl installed to run this commandBe sure to replace domain-name with the domain that is having the SSL issueThe output of this command is quite dense and can be difficult to sort through. You will want to first find the top of the output, and then search for something like this:verify error:num=20:unable to get local issuer certificate If you find a mistake in the article above, you can email me at chill [at] degreesofze