Openssl Verify Error 20 Unable To Get Local Issuer Certificate
Contents |
here for a quick overview of the site Help Center Detailed answers to any verify error:num=21:unable to verify the first certificate questions you might have Meta Discuss the workings and policies verify error:num=2:unable to get issuer certificate of this site About Us Learn more about Stack Overflow the company Business Learn more about
Verify Error:num=27:certificate Not Trusted
hiring developers or posting ads with us Stack Overflow Questions Jobs Documentation Tags Users Badges Ask Question x Dismiss Join the Stack Overflow Community Stack
Verify Error:num=20:unable To Get Local Issuer Certificate Verify Return:1
Overflow is a community of 6.2 million programmers, just like you, helping each other. Join them; it only takes a minute: Sign up “verify error:num=20” when connecting to gateway.sandbox.push.apple.com up vote 53 down vote favorite 27 I am attempting to run the Ray Wenderlich tutorial found at Apple Push Notification Services in verify return code 2 (unable to get issuer certificate) iOS 6 Tutorial: Part 1/2. I created an AppID and SSL certificate and keys and PEM files in a local directory. Afterwards, I got to the step to test whether the certificate works, and I invoked the following command from this local directory: $ openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert PushChatCert.pem -key PushChatKey.pem This produced a lot of output. In the middle of the output was the following: verify error:num=20:unable to get local issuer certificate verify return:0 Is this an error, or is this a test for an error? If its an error, what would be the cause or what would you suggest to resolve it? Here is the complete output (less the certificate data): Enter pass phrase for PushChatKey.pem: CONNECTED(00000003) depth=1 /C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=iTMS Engineering/CN=gateway.sandbox.push.apple.com i:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is inco
Testing my SSL configuration Many ways to do this, we'll present a couple: On-line check You can check your websites configuration with our on-line certificate checker OpenSSL command
Openssl Verify Return:1
line tool Use the openssl built in client to do so, read:errno=104 this command will connect to an SSL server and display the certificate chain, you can copy parts certificate verification: error (20): unable to get local issuer certificate of the output to a PEM file and further inspect them with the verify openssl command. $ openssl s_client -connect mysite.com:443 -showcerts Here is a typical output, with the http://stackoverflow.com/questions/23343910/verify-errornum-20-when-connecting-to-gateway-sandbox-push-apple-com certificate chain displayed: CONNECTED(00000003) depth=1 O = CA, OU = "CA", OU = CA, OU = CA verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=US/ST=California/L=Palo Alto/O=mysite/CN=mysite.com i:/O=CA/OU=CA/OU=CA/OU=CA -----BEGIN CERTIFICATE----- MIIDnzCCAwigAwIBAgIQCSGX4cDpzQPaNSQ2VhCGgTANBgkqhkiG9w0BAQUFADCB ujEfMB0GA1UEChMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazEXMBUGA1UECxMOVmVy aVNpZ24sIEluYy4xMzAxBgNVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwgU2Vy A .... MANY LINES LIKE THAT .... .... MANY LINES LIKE THAT .... gjRaROuWGxfY25KebCQpoBW2PJp3S1JmqHHyxjk4mzr+tzWK0Qn+tlBUy9igtkIh VybjO+AxBZve1qyJIsVraz8wrw== -----END CERTIFICATE----- 1 s:/O=CA/OU=CA/OU=CA/OU=CA http://how2ssl.com/articles/testing_my_ssl_configuration/ i:/C=US/O=CA/OU=Class 3 Public Primary Certification Authority -----BEGIN CERTIFICATE----- MIIDgzCCAuygAwIBAgIQRvzrurTQLw+SYJgjP5MHjzANBgkqhkiG9w0BAQUFADBf MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw A .... MANY LINES LIKE THAT .... .... MANY LINES LIKE THAT .... OfamggNlEcS8vy2m9dk7CrWY+rN4uR7yK0xi1f2yeh3fM/1z+aXYLYwq6tH8sCi2 6UlIE0uDihtIeyT3ON5vQVS4q1drBt/HotSp9vE2YoCI8ot11oBx -----END CERTIFICATE----- --- Server certificate subject=/C=US/ST=California/L=Palo Alto/O=mysite/CN=mysite.com issuer=/O=CA/OU=CA/OU=CA/OU=CA --- No client certificate CA names sent --- SSL handshake has read 2007 bytes and written 343 bytes --- New, TLSv1/SSLv3, Cipher is RC4-MD5 Server public key is 1024 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv3 Cipher : RC4-MD5 Session-ID: 244BE....793 Session-ID-ctx: Master-Key: 18674D2....7DF2DE Key-Arg : None PSK identity: None PSK identity hint: None Start Time: 1325335498 Timeout : 7200 (sec) Verify return code: 20 (unable to get local issuer certificate) --- Browser Well, you can open the site with your browser! When it loads, click on the padlock sign and look for a "view certificates" button. This method is not recommended as some browsers will not show all certificates sent by the server and some will show the bundled certificates as if they were sent from th
Start here for a quick overview of the site Help Center Detailed answers to any questions you might have Meta Discuss the workings and policies of this site About Us Learn more about Stack Overflow the company http://serverfault.com/questions/225449/ssl-certificate-error-verify-errornum-20unable-to-get-local-issuer-certificat Business Learn more about hiring developers or posting ads with us Server Fault Questions Tags Users Badges Unanswered Ask Question _ Server Fault is a question and answer site for system and network administrators. Join them; it only takes a minute: Sign up Here's how it works: Anybody can ask a question Anybody can answer The best answers are voted up and rise to the top SSL Certificate error: verify error:num=20:unable to get local issuer unable to certificate up vote 7 down vote favorite 1 I've been trying to get an SSL connection to an LDAPS server (Active Directory) to work, but keep having problems. I tried using this: openssl s_client -connect the.server.edu:3269 With the following result: verify error:num=20:unable to get local issuer certificate I thought, OK, well server's an old production server a few years old. Maybe the CA isn't present. I then pulled the certificate from the output into a pem unable to get file and tried: openssl s_client -CAfile mycert.pem -connect the.server.edu:3269 And that didn't work either. What am I missing? Shouldn't that ALWAYS work? ssl openssl share|improve this question asked Jan 21 '11 at 22:24 Brian migrated from superuser.com Jan 22 '11 at 3:14 This question came from our site for computer enthusiasts and power users. For clarity sake, it appears that LDAPS, when served from Windows, does not present the CA certificate when a connection is made. Therefore, you should obtain the CA X.509 cert, export as base64 and assign as described in answers below. In my case, using python-ldap you assign it at GLOBAL scope (not your ldap.initialize() instance) as: ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,'./ca_issuer_cert.pem') After this, I was able to use STARTTLS (within LDAP port 389) as expected. –mbrownnyc Jan 15 '13 at 15:23 add a comment| 3 Answers 3 active oldest votes up vote 2 down vote That error is openssl's way of saying, "I can't follow the certificate chain to a trusted root". I just did the same command to my own AD servers and I get a full cert-chain, but the top certificate has that exact error. If you have the pub-key of the CA that signed the cert you can specify it with the -CAfile or -CApath options share|improve this answer answered Jan 22 '11 at 0:40 sysadmin1138♦ 99.6k14124253