Openssl Error 20 Unable To Get Local Issuer Certificate
Contents |
here for a quick overview of the site Help Center Detailed answers to any questions you might have Meta Discuss the workings and policies of this site About Us Learn more about Stack verify return code: 20 (unable to get local issuer certificate) windows Overflow the company Business Learn more about hiring developers or posting ads with us
Verify Error:num=21:unable To Verify The First Certificate
Stack Overflow Questions Jobs Documentation Tags Users Badges Ask Question x Dismiss Join the Stack Overflow Community Stack Overflow is a verify error:num=2:unable to get issuer certificate community of 6.2 million programmers, just like you, helping each other. Join them; it only takes a minute: Sign up OpenSSL Verify return code: 20 (unable to get local issuer certificate) up vote 23 down vote verify error:num=27:certificate not trusted favorite 8 I am running Windows Vista and am attempting to connect via https to upload a file in a multi part form but I am having some trouble with the local issuer certificate. I am just trying to figure out why this isnt working now, and go back to my cURL code later after this is worked out. Im running the command: openssl s_client -connect connect_to_site.com:443 It gives me an
Verify Return Code 2 (unable To Get Issuer Certificate)
digital certificate from VeriSign, Inc., but also shoots out an error: Verify return code: 20 (unable to get local issuer certificate) What is the local issuer certificate? Is that a certificate from my own computer? Is there a way around this? I have tried using -CAfile mozilla.pem file but still gives me same error. openssl share|improve this question asked Jul 18 '12 at 18:50 bryan sammon 1,860122533 Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See What topics can I ask about here in the Help Center. Perhaps Unix & Linux Stack Exchange or Information Security Stack Exchange would be a better place to ask. –jww Oct 8 at 16:59 What is the URL for the site? None of the answers are too impressive, but they can't answer the question because you redacted important details, like the server name. Also, connect_to_site.com is (or can be) a real site. You should use example.com because IANA reserves it for the purpose. –jww Oct 8 at 17:00 add a comment| 5 Answers 5 active oldest votes up vote 58 down vote I had the same problem and solved it by passing path to a
Testing my SSL configuration Many ways to do this, we'll present a couple: On-line check You can verify error:num=20:unable to get local issuer certificate verify return:1 check your websites configuration with our on-line certificate checker unable to get local issuer certificate irc OpenSSL command line tool Use the openssl built in client to do so, this
Certificate Verification: Error (20): Unable To Get Local Issuer Certificate
command will connect to an SSL server and display the certificate chain, you can copy parts of the output to a PEM file http://stackoverflow.com/questions/11548336/openssl-verify-return-code-20-unable-to-get-local-issuer-certificate and further inspect them with the verify openssl command. $ openssl s_client -connect mysite.com:443 -showcerts Here is a typical output, with the certificate chain displayed: CONNECTED(00000003) depth=1 O = CA, OU = "CA", OU = CA, OU = CA verify error:num=20:unable to get local issuer certificate http://how2ssl.com/articles/testing_my_ssl_configuration/ verify return:0 --- Certificate chain 0 s:/C=US/ST=California/L=Palo Alto/O=mysite/CN=mysite.com i:/O=CA/OU=CA/OU=CA/OU=CA -----BEGIN CERTIFICATE----- MIIDnzCCAwigAwIBAgIQCSGX4cDpzQPaNSQ2VhCGgTANBgkqhkiG9w0BAQUFADCB ujEfMB0GA1UEChMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazEXMBUGA1UECxMOVmVy aVNpZ24sIEluYy4xMzAxBgNVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwgU2Vy A .... MANY LINES LIKE THAT .... .... MANY LINES LIKE THAT .... gjRaROuWGxfY25KebCQpoBW2PJp3S1JmqHHyxjk4mzr+tzWK0Qn+tlBUy9igtkIh VybjO+AxBZve1qyJIsVraz8wrw== -----END CERTIFICATE----- 1 s:/O=CA/OU=CA/OU=CA/OU=CA i:/C=US/O=CA/OU=Class 3 Public Primary Certification Authority -----BEGIN CERTIFICATE----- MIIDgzCCAuygAwIBAgIQRvzrurTQLw+SYJgjP5MHjzANBgkqhkiG9w0BAQUFADBf MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw A .... MANY LINES LIKE THAT .... .... MANY LINES LIKE THAT .... OfamggNlEcS8vy2m9dk7CrWY+rN4uR7yK0xi1f2yeh3fM/1z+aXYLYwq6tH8sCi2 6UlIE0uDihtIeyT3ON5vQVS4q1drBt/HotSp9vE2YoCI8ot11oBx -----END CERTIFICATE----- --- Server certificate subject=/C=US/ST=California/L=Palo Alto/O=mysite/CN=mysite.com issuer=/O=CA/OU=CA/OU=CA/OU=CA --- No client certificate CA names sent --- SSL handshake has read 2007 bytes and written 343 bytes --- New, TLSv1/SSLv3, Cipher is RC4-MD5 Server public key is 1024 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv3 Cipher : RC4-MD5 Session-ID: 244BE....793 Session-ID-ctx: Master-Key: 18674D2....7DF2DE Key-Arg : None PSK identity: None PSK identity hint: None Start Time: 1325335498 Timeout : 7200 (sec) Verif
Review Events [ September 27, 2016 ] Unwrapping Tangled Device Configurations - A10 Networks Edition A10 http://movingpackets.net/2015/03/18/telling-openssl-about-your-root-certificates/ Networks [ September 13, 2016 ] This Week: Solarwinds ThwackCamp 2016 Networking http://movingpackets.net/2015/03/16/five-essential-openssl-troubleshooting-commands/ Search for: HomeNetworkingTelling OpenSSL About Your Root Certificates Telling OpenSSL About Your Root Certificates March 18, 2015 John Herbert Networking, Software 4 OpenSSL doesn’t come with its own trusted root certificates; you have to tell it where to find them. This should be straightforward - and it unable to is - but Apple have found a way to make it trickier.Normal *nix SystemsOn a normal unix system, openssl is pretty good at locating the root certificates, but it still doesn’t automatically reference them. For example running Ubuntu: john@ubuntu:~$ openssl s_client -connect www.microsoft.com:443 CONNECTED(00000003) depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, unable to get OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5 verify error:num=20:unable to get local issuer certificate verify return:0 [...removed for brevity...] PSK identity hint: None SRP username: None Start Time: 1425842365 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) --- 123456789101112131415john@ubuntu:~$ openssl s_client -connect www.microsoft.com:443CONNECTED(00000003)depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network,OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN =VeriSign Class 3 Public Primary Certification Authority - G5verify error:num=20:unable to get local issuer certificateverify return:0[...removed for brevity...]PSK identity hint: NoneSRP username: NoneStart Time: 1425842365Timeout : 300 (sec)Verify return code: 20 (unable to get local issuer certificate)---Openssl is unable to validate the Verisign certificate. So where are the trusted root certificates stored? Actually, Openssl will tell us: john@ubuntu:~$ openssl version -d OPENSSLDIR: "/usr/lib/ssl" 123john@ubuntu:~$ openssl version -dOPENSSLDIR: "/usr/lib/ssl"Add that into the command as the -CApath parameter, and: john@ubuntu:~$ openssl s_client -CApath /usr/lib/ssl -connect
Review Events [ September 27, 2016 ] Unwrapping Tangled Device Configurations - A10 Networks Edition A10 Networks [ September 13, 2016 ] This Week: Solarwinds ThwackCamp 2016 Networking Search for: HomeNetworkingFive Essential OpenSSL Troubleshooting Commands Five Essential OpenSSL Troubleshooting Commands March 16, 2015 John Herbert Networking, Software, Tips 2 Troubleshooting SSL certificates and connections? Here are five handy openssl commands that every network engineer should be able to use. Bookmark this - you never know when it will come in handy!1. Check the Connection openssl s_client -showcerts -connect www.microsoft.com:443 12 openssl s_client -showcerts -connect www.microsoft.com:443This command opens an SSL connection to the specified site and displays the entire certificate chain as well. Here’s an abridged version of the sample output: MBP$ openssl s_client -showcerts -connect www.microsoft.com:443 CONNECTED(00000003) depth=2 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2= Washington/businessCategory=Private Organization/ serialNumber=600413485/C=US/postalCode=98052/ST=Washington/ L=Redmond/street=1 Microsoft Way/O=Microsoft Corporation/ OU=MSCOM/CN=www.microsoft.com i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/ CN=Symantec Class 3 EV SSL CA - G3 -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- 1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/ CN=Symantec Class 3 EV SSL CA - G3 i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- --- Server certificate subject=/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2= Washington/businessCategory=Private Organization/ serialNumber=600413485/C=US/postalCode=98052/ST=Washington/ L=Redmond/stree