OpenSSL keeps telling me 'unable to get local issuer certificate' Announcing the arrival of...

Resize vertical bars (absolute-value symbols)

what is the log of the PDF for a Normal Distribution?

Why datecode is SO IMPORTANT to chip manufacturers?

How to ask rejected full-time candidates to apply to teach individual courses?

How do living politicians protect their readily obtainable signatures from misuse?

How does light 'choose' between wave and particle behaviour?

Delete free apps from library

"klopfte jemand" or "jemand klopfte"?

How many time has Arya actually used Needle?

What initially awakened the Balrog?

Flight departed from the gate 5 min before scheduled departure time. Refund options

After Sam didn't return home in the end, were he and Al still friends?

Special flights

Co-worker has annoying ringtone

Was Kant an Intuitionist about mathematical objects?

Why weren't discrete x86 CPUs ever used in game hardware?

Asymptotics question

The test team as an enemy of development? And how can this be avoided?

Is it dangerous to install hacking tools on my private linux machine?

How to change the tick of the color bar legend to black

A `coordinate` command ignored

Nose gear failure in single prop aircraft: belly landing or nose-gear up landing?

I can't produce songs

Would color changing eyes affect vision?



OpenSSL keeps telling me 'unable to get local issuer certificate'



Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 23, 2019 at 23:30 UTC (7:30pm US/Eastern)
Come Celebrate our 10 Year Anniversary!OpenSSL error 20: unable to get local issuer certificateAdding root certificate to CentOS 5Postfix and OpenSSL: “Unable to get local issuer certificate”How to debug certificate chains with OpenSSL?OCSP validation - unable to get local issuer certificateOpenSSL: unable to get local issuer certificateAdding trusted root certificates to the server cent osCurl: unable to get local issuer certificate. How to debug?Trying to connect to LDAPS (Windows active directory) but keep receiving Verify return code: 20 (unable to get local issuer certificate) errorOpenSSL/HAProxy verify client certificates using a non-CA certificate





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}







4















I'm using CentOS, which has OpenSSL 1.0.2k-fips installed, and I've built and installed version 1.1.0g alongside it as part of a HTTP2 install outlined here: https://www.tunetheweb.com/performance/http2/



I've been using the 1.1.0g fine, but lately I renewed the certificates and now it seems lost when trying to verify the CA. The location of the CA file has not changed, the 1.0.2k-fips version seems fine with it, but 1.1.0g does not get past complaining:



Verify return code: 20 (unable to get local issuer certificate)


So, I've verified the certs are good, the location has not changed, I did not manually change any config.



I figured perhaps I should rebuild the 1.1.0g, but that changes nothing. I also tried using the -CApath option for the openssl command, like so (using the same dir as 1.0.2k-fips uses):



echo | /usr/local/ssl/bin/openssl s_client -connect example.com:443 -CApath /etc/pki/tls


I also tried -CAfile, directly pointing to the ca-bundle.crt which I know has the correct certs (1.0.2k-fips uses them without issue), still no change.



I'm clueless as to why it will not pick up my certs, and wonder if this problem might have already existed before I changed the certs (I checked if they worked after changing them, it might be possible 1.1.0g was already broken at that point).



I'm thinking it could be due to updates performed on the system, breaking some link or file, but where to look when the certificate stuff all looks normal? Or is 1.1.0g missing some other/more certs I need to point out to it?










share|improve this question














bumped to the homepage by Community 10 mins ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.






















    4















    I'm using CentOS, which has OpenSSL 1.0.2k-fips installed, and I've built and installed version 1.1.0g alongside it as part of a HTTP2 install outlined here: https://www.tunetheweb.com/performance/http2/



    I've been using the 1.1.0g fine, but lately I renewed the certificates and now it seems lost when trying to verify the CA. The location of the CA file has not changed, the 1.0.2k-fips version seems fine with it, but 1.1.0g does not get past complaining:



    Verify return code: 20 (unable to get local issuer certificate)


    So, I've verified the certs are good, the location has not changed, I did not manually change any config.



    I figured perhaps I should rebuild the 1.1.0g, but that changes nothing. I also tried using the -CApath option for the openssl command, like so (using the same dir as 1.0.2k-fips uses):



    echo | /usr/local/ssl/bin/openssl s_client -connect example.com:443 -CApath /etc/pki/tls


    I also tried -CAfile, directly pointing to the ca-bundle.crt which I know has the correct certs (1.0.2k-fips uses them without issue), still no change.



    I'm clueless as to why it will not pick up my certs, and wonder if this problem might have already existed before I changed the certs (I checked if they worked after changing them, it might be possible 1.1.0g was already broken at that point).



    I'm thinking it could be due to updates performed on the system, breaking some link or file, but where to look when the certificate stuff all looks normal? Or is 1.1.0g missing some other/more certs I need to point out to it?










    share|improve this question














    bumped to the homepage by Community 10 mins ago


    This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.


















      4












      4








      4








      I'm using CentOS, which has OpenSSL 1.0.2k-fips installed, and I've built and installed version 1.1.0g alongside it as part of a HTTP2 install outlined here: https://www.tunetheweb.com/performance/http2/



      I've been using the 1.1.0g fine, but lately I renewed the certificates and now it seems lost when trying to verify the CA. The location of the CA file has not changed, the 1.0.2k-fips version seems fine with it, but 1.1.0g does not get past complaining:



      Verify return code: 20 (unable to get local issuer certificate)


      So, I've verified the certs are good, the location has not changed, I did not manually change any config.



      I figured perhaps I should rebuild the 1.1.0g, but that changes nothing. I also tried using the -CApath option for the openssl command, like so (using the same dir as 1.0.2k-fips uses):



      echo | /usr/local/ssl/bin/openssl s_client -connect example.com:443 -CApath /etc/pki/tls


      I also tried -CAfile, directly pointing to the ca-bundle.crt which I know has the correct certs (1.0.2k-fips uses them without issue), still no change.



      I'm clueless as to why it will not pick up my certs, and wonder if this problem might have already existed before I changed the certs (I checked if they worked after changing them, it might be possible 1.1.0g was already broken at that point).



      I'm thinking it could be due to updates performed on the system, breaking some link or file, but where to look when the certificate stuff all looks normal? Or is 1.1.0g missing some other/more certs I need to point out to it?










      share|improve this question














      I'm using CentOS, which has OpenSSL 1.0.2k-fips installed, and I've built and installed version 1.1.0g alongside it as part of a HTTP2 install outlined here: https://www.tunetheweb.com/performance/http2/



      I've been using the 1.1.0g fine, but lately I renewed the certificates and now it seems lost when trying to verify the CA. The location of the CA file has not changed, the 1.0.2k-fips version seems fine with it, but 1.1.0g does not get past complaining:



      Verify return code: 20 (unable to get local issuer certificate)


      So, I've verified the certs are good, the location has not changed, I did not manually change any config.



      I figured perhaps I should rebuild the 1.1.0g, but that changes nothing. I also tried using the -CApath option for the openssl command, like so (using the same dir as 1.0.2k-fips uses):



      echo | /usr/local/ssl/bin/openssl s_client -connect example.com:443 -CApath /etc/pki/tls


      I also tried -CAfile, directly pointing to the ca-bundle.crt which I know has the correct certs (1.0.2k-fips uses them without issue), still no change.



      I'm clueless as to why it will not pick up my certs, and wonder if this problem might have already existed before I changed the certs (I checked if they worked after changing them, it might be possible 1.1.0g was already broken at that point).



      I'm thinking it could be due to updates performed on the system, breaking some link or file, but where to look when the certificate stuff all looks normal? Or is 1.1.0g missing some other/more certs I need to point out to it?







      centos ssl-certificate openssl






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Mar 9 '18 at 10:29









      kasimirkasimir

      13816




      13816





      bumped to the homepage by Community 10 mins ago


      This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.







      bumped to the homepage by Community 10 mins ago


      This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
























          1 Answer
          1






          active

          oldest

          votes


















          0














          You can get s_client to show you the certificate chain with -showcerts:



          openssl s_client -connect example.com:443 -showcerts </dev/null


          This will start with the certificate chain, then show other information about the server certificate and TLS connection. All of that should help you to figure out where the trouble is. It might be in an intermediate certificate, not the CA.



          You can get a quick summary of the certificate chain by filtering the output:



          openssl s_client -connect example.com:443 -showcerts </dev/null 2>/dev/null |
          sed -e '1,/Certificate chain/d' -e '/BEGIN CERTIFICATE/,/END CERTIFICATE/d' -e '/---/,$d'





          share|improve this answer
























          • Thanks for the suggestions, I compared the output of these commands between 'old' and 'new' OpenSSL and they show the same cert trail and info, there are only two minor differences in output (from your first command): 1. the newer OpenSSL tells me 'New, TLSv1.2, Cipher is...' vs. 'New, TLSv1/SSLv3, Cipher is...' in the last block and 2. the newer one lists 'Extended master secret: yes'. That's it, apart from the 'unable to get local issuer' message ofc.

            – kasimir
            Mar 9 '18 at 21:50












          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "2"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f900837%2fopenssl-keeps-telling-me-unable-to-get-local-issuer-certificate%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          0














          You can get s_client to show you the certificate chain with -showcerts:



          openssl s_client -connect example.com:443 -showcerts </dev/null


          This will start with the certificate chain, then show other information about the server certificate and TLS connection. All of that should help you to figure out where the trouble is. It might be in an intermediate certificate, not the CA.



          You can get a quick summary of the certificate chain by filtering the output:



          openssl s_client -connect example.com:443 -showcerts </dev/null 2>/dev/null |
          sed -e '1,/Certificate chain/d' -e '/BEGIN CERTIFICATE/,/END CERTIFICATE/d' -e '/---/,$d'





          share|improve this answer
























          • Thanks for the suggestions, I compared the output of these commands between 'old' and 'new' OpenSSL and they show the same cert trail and info, there are only two minor differences in output (from your first command): 1. the newer OpenSSL tells me 'New, TLSv1.2, Cipher is...' vs. 'New, TLSv1/SSLv3, Cipher is...' in the last block and 2. the newer one lists 'Extended master secret: yes'. That's it, apart from the 'unable to get local issuer' message ofc.

            – kasimir
            Mar 9 '18 at 21:50
















          0














          You can get s_client to show you the certificate chain with -showcerts:



          openssl s_client -connect example.com:443 -showcerts </dev/null


          This will start with the certificate chain, then show other information about the server certificate and TLS connection. All of that should help you to figure out where the trouble is. It might be in an intermediate certificate, not the CA.



          You can get a quick summary of the certificate chain by filtering the output:



          openssl s_client -connect example.com:443 -showcerts </dev/null 2>/dev/null |
          sed -e '1,/Certificate chain/d' -e '/BEGIN CERTIFICATE/,/END CERTIFICATE/d' -e '/---/,$d'





          share|improve this answer
























          • Thanks for the suggestions, I compared the output of these commands between 'old' and 'new' OpenSSL and they show the same cert trail and info, there are only two minor differences in output (from your first command): 1. the newer OpenSSL tells me 'New, TLSv1.2, Cipher is...' vs. 'New, TLSv1/SSLv3, Cipher is...' in the last block and 2. the newer one lists 'Extended master secret: yes'. That's it, apart from the 'unable to get local issuer' message ofc.

            – kasimir
            Mar 9 '18 at 21:50














          0












          0








          0







          You can get s_client to show you the certificate chain with -showcerts:



          openssl s_client -connect example.com:443 -showcerts </dev/null


          This will start with the certificate chain, then show other information about the server certificate and TLS connection. All of that should help you to figure out where the trouble is. It might be in an intermediate certificate, not the CA.



          You can get a quick summary of the certificate chain by filtering the output:



          openssl s_client -connect example.com:443 -showcerts </dev/null 2>/dev/null |
          sed -e '1,/Certificate chain/d' -e '/BEGIN CERTIFICATE/,/END CERTIFICATE/d' -e '/---/,$d'





          share|improve this answer













          You can get s_client to show you the certificate chain with -showcerts:



          openssl s_client -connect example.com:443 -showcerts </dev/null


          This will start with the certificate chain, then show other information about the server certificate and TLS connection. All of that should help you to figure out where the trouble is. It might be in an intermediate certificate, not the CA.



          You can get a quick summary of the certificate chain by filtering the output:



          openssl s_client -connect example.com:443 -showcerts </dev/null 2>/dev/null |
          sed -e '1,/Certificate chain/d' -e '/BEGIN CERTIFICATE/,/END CERTIFICATE/d' -e '/---/,$d'






          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Mar 9 '18 at 20:23









          Andrew SchulmanAndrew Schulman

          6,437102241




          6,437102241













          • Thanks for the suggestions, I compared the output of these commands between 'old' and 'new' OpenSSL and they show the same cert trail and info, there are only two minor differences in output (from your first command): 1. the newer OpenSSL tells me 'New, TLSv1.2, Cipher is...' vs. 'New, TLSv1/SSLv3, Cipher is...' in the last block and 2. the newer one lists 'Extended master secret: yes'. That's it, apart from the 'unable to get local issuer' message ofc.

            – kasimir
            Mar 9 '18 at 21:50



















          • Thanks for the suggestions, I compared the output of these commands between 'old' and 'new' OpenSSL and they show the same cert trail and info, there are only two minor differences in output (from your first command): 1. the newer OpenSSL tells me 'New, TLSv1.2, Cipher is...' vs. 'New, TLSv1/SSLv3, Cipher is...' in the last block and 2. the newer one lists 'Extended master secret: yes'. That's it, apart from the 'unable to get local issuer' message ofc.

            – kasimir
            Mar 9 '18 at 21:50

















          Thanks for the suggestions, I compared the output of these commands between 'old' and 'new' OpenSSL and they show the same cert trail and info, there are only two minor differences in output (from your first command): 1. the newer OpenSSL tells me 'New, TLSv1.2, Cipher is...' vs. 'New, TLSv1/SSLv3, Cipher is...' in the last block and 2. the newer one lists 'Extended master secret: yes'. That's it, apart from the 'unable to get local issuer' message ofc.

          – kasimir
          Mar 9 '18 at 21:50





          Thanks for the suggestions, I compared the output of these commands between 'old' and 'new' OpenSSL and they show the same cert trail and info, there are only two minor differences in output (from your first command): 1. the newer OpenSSL tells me 'New, TLSv1.2, Cipher is...' vs. 'New, TLSv1/SSLv3, Cipher is...' in the last block and 2. the newer one lists 'Extended master secret: yes'. That's it, apart from the 'unable to get local issuer' message ofc.

          – kasimir
          Mar 9 '18 at 21:50


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Server Fault!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f900837%2fopenssl-keeps-telling-me-unable-to-get-local-issuer-certificate%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Фонтен-ла-Гаярд Зміст Демографія | Економіка | Посилання |...

          Список ссавців Італії Природоохоронні статуси | Список |...

          Маріан Котлеба Зміст Життєпис | Політичні погляди |...