Openssl Error 21 Unable To Verify The First Certificate
Contents |
here for a quick overview of the site Help Center Detailed answers to any questions you might have Meta Discuss the workings and policies of unable to verify the first certificate nodejs this site About Us Learn more about Stack Overflow the company Business Learn
Verify Return Code 21 (unable To Verify The First Certificate) Self Signed
more about hiring developers or posting ads with us Stack Overflow Questions Jobs Documentation Tags Users Badges Ask Question
Verify Error:num=27:certificate Not Trusted
x Dismiss Join the Stack Overflow Community Stack Overflow is a community of 6.2 million programmers, just like you, helping each other. Join them; it only takes a minute: Sign up
Unable To Verify The First Certificate Npm
OpenSSL: unable to verify the first certificate for Experian URL up vote 28 down vote favorite 14 I am trying to verify an SSL connection to Experian in Ubuntu 10.10 with OpenSSL client. openssl s_client -CApath /etc/ssl/certs/ -connect dm1.experian.com:443 The problem is that the connection closes with a Verify return code: 21 (unable to verify the first certificate). I've checked the certificate list, and verify error:num=20:unable to get local issuer certificate the Certificate used to sign Experian (VeriSign Class 3 Secure Server CA - G3) is included in the list. /etc/ssl/certs/ca-certificates.crt Yet I don't know why it is not able to verify the first certificate. Thanks in advance. The entire response could be seen here: https://gist.github.com/1248790 ssl certificate openssl share|improve this question asked Sep 28 '11 at 18:35 pdjota 1,70611128 add a comment| 3 Answers 3 active oldest votes up vote 45 down vote accepted The first error message is telling you more about the problem: verify error:num=20:unable to get local issuer certificate The issuing certificate authority of the end entity server certificate is VeriSign Class 3 Secure Server CA - G3 Look closely in your CA file - you will not find this certificate since it is an intermediary CA - what you found was a similar-named G3 Public Primary CA of VeriSign. But why does the other connection succeed, but this one doesn't? The problem is a misconfiguration of the servers (see for yourself using the -debug option). The "good" server sends the entire certificate chain during the handshake, therefore providing you with the necessary intermediate certif
verify the first certificate Use this forum if you want to discuss a problem or ask unable to verify the first certificate irc a question related to a hMailServer beta release. Post Reply verify return code: 21 (unable to verify the first certificate) comodo Print view Search Advanced search 5 posts • Page 1 of 1 Minimalist Normal (unable to verify the first certificate.? (21)) hexchat user Posts: 45 Joined: 2006-05-24 16:31 Location: The InterWeb Contact: Contact Minimalist Website Yahoo Messenger AOL SSL help #2 - unable to verify the http://stackoverflow.com/questions/7587851/openssl-unable-to-verify-the-first-certificate-for-experian-url first certificate Quote Postby Minimalist » 2008-10-17 21:17 Anyone know how to resolve this? I was getting "invalid certificate" notices on an iPhone, and connecting to the server with SSL I get the following messages (this is a godaddy turbo ssl certificate):openssl s_client -connect mail.minimalist.com:995CONNECTED(00000003)depth=0 /O=mail.minimalist.com/CN=mail.minimalist.com/OU=Domain Control Validatedverify error:num=20:unable https://www.hmailserver.com/forum/viewtopic.php?t=13208 to get local issuer certificateverify return:1depth=0 /O=mail.minimalist.com/CN=mail.minimalist.com/OU=Domain Control Validatedverify error:num=27:certificate not trustedverify return:1depth=0 /O=mail.minimalist.com/CN=mail.minimalist.com/OU=Domain Control Validatedverify error:num=21:unable to verify the first certificateverify return:1---Certificate chain 0 s:/O=mail.minimalist.com/CN=mail.minimalist.com/OU=Domain Control Validated i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287---Server certificatethen the cert...-----END CERTIFICATE-----subject=/O=mail.minimalist.com/CN=mail.minimalist.com/OU=Domain Control Validatedissuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287---No client certificate CA names sent---SSL handshake has read 1817 bytes and written 700 bytes---New, TLSv1/SSLv3, Cipher is AES256-SHAServer public key is 4096 bitCompression: NONEExpansion: NONESSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: FF4E3DC6C504A570A591B06BB25C38FD7D55BBD8BE5F3ED91B2F3C240FA92E18 Session-ID-ctx: Master-Key: ABC68A2AB409BC2E08F876DA768A2F6DE36AFE43A9A0B97734AC979E296B36EB351D9F4895F33B9FC888AB18AEC4404B Key-Arg : None Start Time: 1224270554 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate)---+OKAny idea how to rectify? Do I need to add the whole chain of public certs to the public cert file? Kurt Koller Minimalist http://minimalist.com Top MP3Freak Normal user Posts: 221 Joined: 2007-06-13 22:19 Re: SSL help #2 - unable to verify the
the most widely-used technologies https://blog.nexcess.net/2011/05/14/using-openssl-to-verify-service-availability-and-configuration/ for securing communications over the internet. It does https://support.roambi.com/hc/en-us/articles/203061714-verify-error-num-21-unable-to-verify-the-first-certificate have a few design flaws, but it's still widely used to secure e-mail (IMAP-SSL and POP3-SSL), HTTP traffic (via HTTPS), and other communications. By far, the most common implementation of SSL is the OpenSSL unable to suite which is developed by a community of voluenteers. OpenSSL is the library powering the majority of SSL communications on the internet. Today, we're going to look at how to use a part of the OpenSSL suite to make sure that services unable to verify are working correctly. and here is the man page for what we'll be using today (s_client). If we just run s_client with basic options, the transaction looks like this:
helios:~$ openssl s_client -connect www.nexcess.net:443
CONNECTED(00000003)
depth=0 /serialNumber=RoynH3Jlh/6V62RNtqKI5TvUcWl5GDrQ/C=US/O=*.nexcess.net/OU=GT62060740/OU=See www.rapidssl.com/resources/cps (c)10/OU=Domain Control Validated - RapidSSL(R)/CN=*.nexcess.net
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /serialNumber=RoynH3Jlh/6V62RNtqKI5TvUcWl5GDrQ/C=US/O=*.nexcess.net/OU=GT62060740/OU=See www.rapidssl.com/resources/cps (c)10/OU=Domain Control Validated - RapidSSL(R)/CN=*.nexcess.net
verify error:num=27:certificate not trusted
verify return:1
depth=0 /serialNumber=RoynH3Jlh/6V62RNtqKI5TvUcWl5GDrQ/C=US/O=*.nexcess.net/OU=GT62060740/OU=See www.rapidssl.com/resources/cps (c)10/OU=Domain Control Validated - RapidSSL(R)/CN=*.nexcess.net
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/serialNumber=RoynH3Jlh/6V62RNtqKI5TvUcWl5GDrQ/C=US/O=*.nexcess.net/OU=GT62060740/OU=See www.rapidssl.com/resources/cps (c)10/OU=Domain Control Validated - RapidSSL(R)/CN=*.nexcess.net
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MII
Forums System Status Roambi ES Roambi Analytics for Google Chrome Roambi for Windows 8 Roambi Internal Forum Analytics Publisher Account Flow Publisher Administration Roambi Analytics for iOS Roambi for Android and Windows Roambi Flow Roambi Lite/Pro Roambi Cloud Roambi Cloud Automation Roambi for Good Technology Roambi for Internal Distribution Powered by Zendesk