0

I know theres a lot of answers for this question already but i've tried everything and I still cant get this to work. I'm just trying to get a https for my localhost working. any help/tips would be appreciated, thanks!

I'm running python 2.7 and OpenSSL 1.1.0f and MacOS 10.13 High Sierra.

What I've tried/know:

  • I have my self signed root certificate in the keychain access marked as always trust.
  • From what I read, i understand error 20 means it can't find my root certificate, but its in my keychain access so im not sure where im missing
  • I've also read about /etc/ca-certificates.conf, and making sure the certificate is in there, i've checked and it's not, but i've tried putting it there and updating ca-certificates & it hasn't worked either. from my understanding, having my root CA in keychain access should be enough?
    • basically i have my self signed root cert in keychain & my key and cert in my python file but when i curl localhost i receive curl: (60) SSL certificate problem: unable to get local issuer certificate

I've also tried all of these and i get the same output:

openssl s_client -connect localhost:5000

openssl s_client -connect localhost:5000 -CAfile rootCA.pem

openssl s_client -connect localhost:5000 -CApath /etc/ssl/certs/

Output: 

openssl s_client -CApath /etc/ssl/certs/ -connect localhost:5000
CONNECTED(00000003)
depth=0 C = US, ST = California, L = San Fran, O = My org, OU = My unit, CN = localhost
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = California, L = San Fran, O = My org, OU = My unit, CN = localhost
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=San Fran/O=My org/OU=My unit/CN=localhost
   i:/C=US/ST=California/L=San Fran/O=My org/OU=My unit/CN=localhost
---
Server certificate
-----BEGIN CERTIFICATE-----
certificate stuff...
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=San Fran/O=My org/OU=My unit/CN=localhost
issuer=/C=US/ST=California/L=San Fran/O=My org/OU=My unit/CN=localhost
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits
---
.
.
.
. other info....

    Start Time: 1530725381
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: yes
helloworld
  • 181
  • 3
  • 12
  • 1. What does python have to do with anything? 2. `openssl s_client -CAfile` works for me. 3. openssl does not use the Mac keychain, so putting a cert in there won't help. 4. user -CApath /etc/ssl/certs/ doesn't make any sense. – President James K. Polk Jul 04 '18 at 18:22
  • 1
    @JamesKPolk right -CAfile isn't working for me and in regards to the -CApath, i was just following another this https://stackoverflow.com/questions/11548336/openssl-verify-return-code-20-unable-to-get-local-issuer-certificate – helloworld Jul 04 '18 at 19:33
  • You really aren't including enough information to help you. – President James K. Polk Jul 04 '18 at 20:09
  • 1
    what other information should i put down? i can try to add more – helloworld Jul 04 '18 at 20:11

0 Answers0