OpenSSL Verify return code: 20 (unable to get local issuer certificate)

Question

I am running Windows Vista and am attempting to connect via https to upload a file in a multi part form but I am having some trouble with the local issuer certificate. I am just trying to figure out why this isnt working now, and go back to my cURL code later after this is worked out. Im running the command:

openssl s_client -connect connect_to_site.com:443

It gives me an digital certificate from VeriSign, Inc., but also shoots out an error:

Verify return code: 20 (unable to get local issuer certificate)

What is the local issuer certificate? Is that a certificate from my own computer? Is there a way around this? I have tried using -CAfile mozilla.pem file but still gives me same error.

Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Unix & Linux Stack Exchange](http://unix.stackexchange.com/) or [Information Security Stack Exchange](http://security.stackexchange.com/) would be a better place to ask. — jww, Oct 08 '16 at 16:59
@jww no it can't, underscores are not valid in domain names. — Doktor J, Mar 21 '17 at 19:25
@DoktorJ - Underscores in domain names are OK, while underscores in host names used to be forbidden. `connect_to_site.com` is a domain name, not a host name. I don't know if IDNA allows underscores in host names. Also see [Can (domain name) subdomains have an underscore “_” in it?](http://stackoverflow.com/a/14622263/608639). — jww, Mar 21 '17 at 19:33

score 107 · Answer 1 · answered Jan 03 '13 at 17:22

107

I had the same problem and solved it by passing path to a directory where CA keys are stored. On Ubuntu it was:

openssl s_client -CApath /etc/ssl/certs/ -connect address.com:443

answered Jan 03 '13 at 17:22

Jan Wrobel

6,969
3
37
53

1

This issue is discussed in [Ubuntu bug #396818](https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/396818). – Håkon A. Hjortland Apr 20 '14 at 07:17
3

you can also set the path to `/dev/null` to have your client search for the certificates in all the usual places itself. – mulllhausen Aug 13 '15 at 08:25
2

Note that this path is usually populated by the package `ca-certificates`. – Josip Rodin Oct 05 '16 at 15:12
@Jan can you please help me with the similar issue? I am not able to resolve it anyhow although I specified CApath, CAfile and everything else.. https://stackoverflow.com/questions/69836489/openssl-certificate-error-for-winrm-connection – vel Nov 05 '21 at 11:40

score 29 · Answer 2 · answered Apr 19 '17 at 10:16

29

Solution: You must explicitly add the parameter -CAfile your-ca-file.pem.

Note: I tried also param -CApath mentioned in another answers, but is does not works for me.

Explanation: Error unable to get local issuer certificate means, that the openssl does not know your root CA cert.

Note: If you have web server with more domains, do not forget to add also -servername your.domain.net parameter. This parameter will "Set TLS extension servername in ClientHello". Without this parameter, the response will always contain the default SSL cert (not certificate, that match to your domain).

answered Apr 19 '17 at 10:16

Martin

696
6
7

Thank you so much, I've been on it for hours. Nothing worked but this!! – Ayush Jul 12 '17 at 15:49
@Martin can you please help me with the similar issue? I am not able to resolve it anyhow although I specified CApath, CAfile and everything else.. https://stackoverflow.com/questions/69836489/openssl-certificate-error-for-winrm-connection – vel Nov 05 '21 at 11:41

score 21 · Answer 3 · answered Sep 16 '16 at 17:07

21

This error also happens if you're using a self-signed certificate with a keyUsage missing the value keyCertSign.

answered Sep 16 '16 at 17:07

Conrado

716
5
15

2

I spent hours tracking this down. Thank you! – Nathan Moinvaziri Apr 25 '17 at 07:21
I just tried even the CA's certificate with usage: keyCertSign, the problem is same. It seems that the CA cert or the root cert should be added to openssl's certsDB (/etc/ssl/certs/ca-certificates.crt) – jackiszhp Nov 04 '17 at 06:27
1

This issue has been fixed today in OpenSSL (see https://github.com/openssl/openssl/issues/1418) and the fix should be available soon. – dvo Dec 18 '18 at 10:56
@Conrado can you please help me with the similar issue? I am not able to resolve it anyhow although I specified CApath, CAfile and everything else.. https://stackoverflow.com/questions/69836489/openssl-certificate-error-for-winrm-connection – vel Nov 05 '21 at 11:40

score 3 · Answer 4 · answered Oct 03 '12 at 17:04

3

Is your server configured for client authentication? If so you need to pass the client certificate while connecting with the server.

answered Oct 03 '12 at 17:04

Sivachandran

787
7
21

can you please help me with the similar issue? I am not able to resolve it anyhow although I specified CApath, CAfile and everything else.. https://stackoverflow.com/questions/69836489/openssl-certificate-error-for-winrm-connection – vel Nov 05 '21 at 11:41

score 3 · Answer 5 · answered Oct 07 '14 at 04:22

I had the same problem on OSX OpenSSL 1.0.1i from Macports, and also had to specify CApath as a workaround (and as mentioned in the Ubuntu bug report, even an invalid CApath will make openssl look in the default directory). Interestingly, connecting to the same server using PHP's openssl functions (as used in PHPMailer 5) worked fine.

score 3 · Answer 6 · answered Nov 04 '17 at 08:01

3

put your CA & root certificate in /usr/share/ca-certificate or /usr/local/share/ca-certificate. Then

dpkg-reconfigure ca-certificates

or even reinstall ca-certificate package with apt-get.

After doing this your certificate is collected into system's DB: /etc/ssl/certs/ca-certificates.crt

Then everything should be fine.

answered Nov 04 '17 at 08:01

jackiszhp

767
1
5
11

1

I wonder if windows has a folder /usr/share/ca-certificate or /usr/local/share/ca-certificate. And what would dpkg-reconfigure mean in windows terms? – Harald Coppoolse Feb 28 '19 at 09:46
In Windows you would put the certificate into the local machines certificate store. Run mmc.exe then add/remove snapin>certificates>local computer. Put any end entity certificates into the Personal store then, intermediate certs into the Intermedate folder, etc, etc. – Chuck Herrington Feb 12 '20 at 15:53

score 2 · Answer 7 · answered Jul 31 '15 at 01:28

2

With client authentication:

openssl s_client -cert ./client-cert.pem -key ./client-key.key -CApath /etc/ssl/certs/ -connect foo.example.com:443

answered Jul 31 '15 at 01:28

toppur

1,606
13
12

score 2 · Answer 8 · edited Oct 24 '18 at 13:18

2

Create the certificate chain file with the intermediate and root ca.

cat intermediate/certs/intermediate.cert.pem certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem

chmod 444 intermediate/certs/ca-chain.cert.pem

Then verfify

openssl verify -CAfile intermediate/certs/ca-chain.cert.pem \
  intermediate/certs/www.example.com.cert.pem

www.example.com.cert.pem: OK Deploy the certific

edited Oct 24 '18 at 13:18

Eric Aya

69,473
35
181
253

answered Oct 24 '18 at 12:26

sanjay

21
1

kindly explain your answer – Intsab Haider Oct 24 '18 at 12:50

score 1 · Answer 9 · answered Sep 19 '17 at 06:56

I faced the same issue, It got fixed after keeping issuer subject value in the certificate as it is as subject of issuer certificate.

so please check "issuer subject value in the certificate(cert.pem) == subject of issuer (CA.pem)"

openssl verify -CAfile CA.pem cert.pem
cert.pem: OK

score 1 · Answer 10 · answered Feb 18 '22 at 15:48

I got this problem when my NGINX server did not have a complete certificate chain in the certificate file it was configured with.

My solution was to find a similar server and extract the certificates from that server with something like:

openssl s_client -showcerts -CAfile my_local_issuer_CA.cer -connect my.example.com:443 > output.txt

Then I added the ASCII armoured certificates from that 'output.txt' file (except the machine-certificate) to a copy of my machines certificate-file and pointed NGINX at that copied file instead and the error went away.

Yes, this was the problem in my case, too. The web server did not send the whole certificate chain but only its own certificate. — jansohn, Jan 02 '23 at 08:34

score 0 · Answer 11 · answered Mar 24 '19 at 20:53

this error messages means that CABundle is not given by (-CAfile ...) OR the CABundle file is not closed by a self-signed root certificate.

Don't worry. The connection to server will work even you get theis message from openssl s_client ... (assumed you dont take other mistake too)

score 0 · Answer 12 · answered Feb 16 '22 at 14:24

I would update @user1462586 answer by doing the following:

I think it is more suitable to use update-ca-certificates command, included in the ca-certificates package than dpkg-reconfigure.

So basically, I would change its useful answer to this:

Retrieve the certificate (from this stackoverflow answer and write it in the right directory:

# let's say we call it my-own-cert.crt
openssl s_client -CApath /etc/ssl/certs/ -connect <hostname.domain.tld>:<port> 2>/dev/null </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /usr/share/ca-certificates/my-own-cert.crt

Repeat the operation if you need other certificates.

For example, if you need CA certs for ldaps/starttls with Active Directory, see here for how to process this + use openssl to convert it in pem/crt:

openssl x509 -inform der -in LdapSecure.cer -out my-own-ca.pem
#and copy it in the right directory...
cp my-own-ca.pem /usr/share/ca-certificates/my-own-ca.crt

Add this certificates to the /etc/ca-certificates.conf configuration file:

echo "my-own-cert.crt" >> /etc/ca-certificates.conf
echo "my-own-ca.crt" >> /etc/ca-certificates.conf

Update /etc/ssl/certs directory:

update-ca-certificate

Enjoy

Note that if you use private domain name machines, instead of legitimate public domain names, you may need to edit your /etc/hosts file to be able to have the corresponding FQDN.

score 0 · Answer 13 · answered Jun 09 '22 at 00:46

0

This is due to SNI Certificate binding issue on the Vserver or server itself

answered Jun 09 '22 at 00:46

Kevin Hernandez

1

Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Jun 18 '22 at 05:36

score 0 · Answer 14 · answered Feb 28 '23 at 14:16

OpenSSL verify certificate chain

[Signature, Certificate]

For example:

//openssl verify -verbose -CAfile <root_CA> <other_chain>
openssl verify -verbose -CAfile AppleRootCA-G3.pem cetrtificates.pem

//-CAfile - exposes root certificate which usually is not a part of bundle
//cetrtificates.pem contains at first place: Intermediate certificate and after that End-user certificate

Usually this error is thrown when chain verification is failed

unable to get local issuer certificate

Please check sequence of the chain

Root -> Intermediate -> ... -> End-user

OpenSSL Verify return code: 20 (unable to get local issuer certificate)

14 Answers14

Linked

Related