Ryfujk

Resize vertical bars (absolute-value symbols)

what is the log of the PDF for a Normal Distribution?

Why datecode is SO IMPORTANT to chip manufacturers?

How to ask rejected full-time candidates to apply to teach individual courses?

How do living politicians protect their readily obtainable signatures from misuse?

How does light 'choose' between wave and particle behaviour?

Delete free apps from library

"klopfte jemand" or "jemand klopfte"?

How many time has Arya actually used Needle?

What initially awakened the Balrog?

Flight departed from the gate 5 min before scheduled departure time. Refund options

After Sam didn't return home in the end, were he and Al still friends?

Special flights

Co-worker has annoying ringtone

Was Kant an Intuitionist about mathematical objects?

Why weren't discrete x86 CPUs ever used in game hardware?

Asymptotics question

The test team as an enemy of development? And how can this be avoided?

Is it dangerous to install hacking tools on my private linux machine?

How to change the tick of the color bar legend to black

A `coordinate` command ignored

Nose gear failure in single prop aircraft: belly landing or nose-gear up landing?

I can't produce songs

Would color changing eyes affect vision?

OpenSSL keeps telling me 'unable to get local issuer certificate'

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}

4

I'm using CentOS, which has OpenSSL 1.0.2k-fips installed, and I've built and installed version 1.1.0g alongside it as part of a HTTP2 install outlined here: https://www.tunetheweb.com/performance/http2/

I've been using the 1.1.0g fine, but lately I renewed the certificates and now it seems lost when trying to verify the CA. The location of the CA file has not changed, the 1.0.2k-fips version seems fine with it, but 1.1.0g does not get past complaining:

Verify return code: 20 (unable to get local issuer certificate)

So, I've verified the certs are good, the location has not changed, I did not manually change any config.

I figured perhaps I should rebuild the 1.1.0g, but that changes nothing. I also tried using the -CApath option for the openssl command, like so (using the same dir as 1.0.2k-fips uses):

echo | /usr/local/ssl/bin/openssl s_client -connect example.com:443 -CApath /etc/pki/tls

I also tried -CAfile, directly pointing to the ca-bundle.crt which I know has the correct certs (1.0.2k-fips uses them without issue), still no change.

I'm clueless as to why it will not pick up my certs, and wonder if this problem might have already existed before I changed the certs (I checked if they worked after changing them, it might be possible 1.1.0g was already broken at that point).

I'm thinking it could be due to updates performed on the system, breaking some link or file, but where to look when the certificate stuff all looks normal? Or is 1.1.0g missing some other/more certs I need to point out to it?

centos ssl-certificate openssl

share|improve this question

asked Mar 9 '18 at 10:29

kasimirkasimir

13816

bumped to the homepage by Community♦ 10 mins ago

This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.

add a comment | 

4

I'm using CentOS, which has OpenSSL 1.0.2k-fips installed, and I've built and installed version 1.1.0g alongside it as part of a HTTP2 install outlined here: https://www.tunetheweb.com/performance/http2/

I've been using the 1.1.0g fine, but lately I renewed the certificates and now it seems lost when trying to verify the CA. The location of the CA file has not changed, the 1.0.2k-fips version seems fine with it, but 1.1.0g does not get past complaining:

Verify return code: 20 (unable to get local issuer certificate)

So, I've verified the certs are good, the location has not changed, I did not manually change any config.

I figured perhaps I should rebuild the 1.1.0g, but that changes nothing. I also tried using the -CApath option for the openssl command, like so (using the same dir as 1.0.2k-fips uses):

echo | /usr/local/ssl/bin/openssl s_client -connect example.com:443 -CApath /etc/pki/tls

I also tried -CAfile, directly pointing to the ca-bundle.crt which I know has the correct certs (1.0.2k-fips uses them without issue), still no change.

I'm clueless as to why it will not pick up my certs, and wonder if this problem might have already existed before I changed the certs (I checked if they worked after changing them, it might be possible 1.1.0g was already broken at that point).

I'm thinking it could be due to updates performed on the system, breaking some link or file, but where to look when the certificate stuff all looks normal? Or is 1.1.0g missing some other/more certs I need to point out to it?

centos ssl-certificate openssl

share|improve this question

asked Mar 9 '18 at 10:29

kasimirkasimir

13816

bumped to the homepage by Community♦ 10 mins ago

This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.

add a comment | 

I'm using CentOS, which has OpenSSL 1.0.2k-fips installed, and I've built and installed version 1.1.0g alongside it as part of a HTTP2 install outlined here: https://www.tunetheweb.com/performance/http2/

I've been using the 1.1.0g fine, but lately I renewed the certificates and now it seems lost when trying to verify the CA. The location of the CA file has not changed, the 1.0.2k-fips version seems fine with it, but 1.1.0g does not get past complaining:

Verify return code: 20 (unable to get local issuer certificate)

So, I've verified the certs are good, the location has not changed, I did not manually change any config.

I figured perhaps I should rebuild the 1.1.0g, but that changes nothing. I also tried using the -CApath option for the openssl command, like so (using the same dir as 1.0.2k-fips uses):

echo | /usr/local/ssl/bin/openssl s_client -connect example.com:443 -CApath /etc/pki/tls

I also tried -CAfile, directly pointing to the ca-bundle.crt which I know has the correct certs (1.0.2k-fips uses them without issue), still no change.

I'm clueless as to why it will not pick up my certs, and wonder if this problem might have already existed before I changed the certs (I checked if they worked after changing them, it might be possible 1.1.0g was already broken at that point).

I'm thinking it could be due to updates performed on the system, breaking some link or file, but where to look when the certificate stuff all looks normal? Or is 1.1.0g missing some other/more certs I need to point out to it?

centos ssl-certificate openssl

share|improve this question

asked Mar 9 '18 at 10:29

kasimirkasimir

13816

Verify return code: 20 (unable to get local issuer certificate)

echo | /usr/local/ssl/bin/openssl s_client -connect example.com:443 -CApath /etc/pki/tls

share|improve this question

asked Mar 9 '18 at 10:29

kasimirkasimir

13816

share|improve this question

asked Mar 9 '18 at 10:29

kasimirkasimir

13816

asked Mar 9 '18 at 10:29

kasimirkasimir

13816

asked Mar 9 '18 at 10:29

kasimirkasimir

13816

1 Answer
1

active

oldest

votes

0

You can get s_client to show you the certificate chain with -showcerts:

openssl s_client -connect example.com:443 -showcerts </dev/null

This will start with the certificate chain, then show other information about the server certificate and TLS connection. All of that should help you to figure out where the trouble is. It might be in an intermediate certificate, not the CA.

You can get a quick summary of the certificate chain by filtering the output:

openssl s_client -connect example.com:443 -showcerts </dev/null 2>/dev/null |

sed -e '1,/Certificate chain/d' -e '/BEGIN CERTIFICATE/,/END CERTIFICATE/d' -e '/---/,$d'

share|improve this answer

answered Mar 9 '18 at 20:23

Andrew SchulmanAndrew Schulman

6,437102241

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks for the suggestions, I compared the output of these commands between 'old' and 'new' OpenSSL and they show the same cert trail and info, there are only two minor differences in output (from your first command): 1. the newer OpenSSL tells me 'New, TLSv1.2, Cipher is...' vs. 'New, TLSv1/SSLv3, Cipher is...' in the last block and 2. the newer one lists 'Extended master secret: yes'. That's it, apart from the 'unable to get local issuer' message ofc.
  
  – kasimir
  Mar 9 '18 at 21:50
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f900837%2fopenssl-keeps-telling-me-unable-to-get-local-issuer-certificate%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

0

You can get s_client to show you the certificate chain with -showcerts:

openssl s_client -connect example.com:443 -showcerts </dev/null

This will start with the certificate chain, then show other information about the server certificate and TLS connection. All of that should help you to figure out where the trouble is. It might be in an intermediate certificate, not the CA.

You can get a quick summary of the certificate chain by filtering the output:

openssl s_client -connect example.com:443 -showcerts </dev/null 2>/dev/null |

sed -e '1,/Certificate chain/d' -e '/BEGIN CERTIFICATE/,/END CERTIFICATE/d' -e '/---/,$d'

share|improve this answer

answered Mar 9 '18 at 20:23

Andrew SchulmanAndrew Schulman

6,437102241

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks for the suggestions, I compared the output of these commands between 'old' and 'new' OpenSSL and they show the same cert trail and info, there are only two minor differences in output (from your first command): 1. the newer OpenSSL tells me 'New, TLSv1.2, Cipher is...' vs. 'New, TLSv1/SSLv3, Cipher is...' in the last block and 2. the newer one lists 'Extended master secret: yes'. That's it, apart from the 'unable to get local issuer' message ofc.
  
  – kasimir
  Mar 9 '18 at 21:50
  

  
  
  
  

add a comment | 

0

You can get s_client to show you the certificate chain with -showcerts:

openssl s_client -connect example.com:443 -showcerts </dev/null

This will start with the certificate chain, then show other information about the server certificate and TLS connection. All of that should help you to figure out where the trouble is. It might be in an intermediate certificate, not the CA.

You can get a quick summary of the certificate chain by filtering the output:

openssl s_client -connect example.com:443 -showcerts </dev/null 2>/dev/null |

sed -e '1,/Certificate chain/d' -e '/BEGIN CERTIFICATE/,/END CERTIFICATE/d' -e '/---/,$d'

share|improve this answer

answered Mar 9 '18 at 20:23

Andrew SchulmanAndrew Schulman

6,437102241

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks for the suggestions, I compared the output of these commands between 'old' and 'new' OpenSSL and they show the same cert trail and info, there are only two minor differences in output (from your first command): 1. the newer OpenSSL tells me 'New, TLSv1.2, Cipher is...' vs. 'New, TLSv1/SSLv3, Cipher is...' in the last block and 2. the newer one lists 'Extended master secret: yes'. That's it, apart from the 'unable to get local issuer' message ofc.
  
  – kasimir
  Mar 9 '18 at 21:50
  

  
  
  
  

add a comment | 

You can get s_client to show you the certificate chain with -showcerts:

openssl s_client -connect example.com:443 -showcerts </dev/null

This will start with the certificate chain, then show other information about the server certificate and TLS connection. All of that should help you to figure out where the trouble is. It might be in an intermediate certificate, not the CA.

You can get a quick summary of the certificate chain by filtering the output:

openssl s_client -connect example.com:443 -showcerts </dev/null 2>/dev/null |

sed -e '1,/Certificate chain/d' -e '/BEGIN CERTIFICATE/,/END CERTIFICATE/d' -e '/---/,$d'

share|improve this answer

answered Mar 9 '18 at 20:23

Andrew SchulmanAndrew Schulman

6,437102241

openssl s_client -connect example.com:443 -showcerts </dev/null

openssl s_client -connect example.com:443 -showcerts </dev/null 2>/dev/null |

sed -e '1,/Certificate chain/d' -e '/BEGIN CERTIFICATE/,/END CERTIFICATE/d' -e '/---/,$d'

share|improve this answer

answered Mar 9 '18 at 20:23

Andrew SchulmanAndrew Schulman

6,437102241

answered Mar 9 '18 at 20:23

Andrew SchulmanAndrew Schulman

6,437102241

answered Mar 9 '18 at 20:23

Andrew SchulmanAndrew Schulman

6,437102241