ns am running home windows Vista and am attempting to affix via https to upload a paper in a multi part type but ns am having some trouble with the neighborhood issuer certificate. I am simply trying to number out why this isnt functioning now, and go back to my curl code later after this is operated out. Im to run the command:

openssl s_client -connect connect_to_site.com:443It gives me one digital certificate indigenous VeriSign, Inc., but additionally shoots the end an error:

Verify return code: 20 (unable to get local issuer certificate)What is the neighborhood issuer certificate? Is that a certificate from my own computer? Is over there a way around this? I have actually tried using -CAfile mozilla.pem paper but still provides me same error.

You are watching: Verify error:num=20:unable to get local issuer certificate


I had actually the very same problem and also solved that by passing path to a directory where CA keys are stored. Top top Ubuntu that was:

openssl s_client -CApath /etc/ssl/certs/ -connect address.com:443


This error additionally happens if you"re making use of a self-signed certificate with a keyUsage absent the value keyCertSign.


Solution:You have to explicitly include the parameter -CAfile your-ca-file.pem.

Note: ns tried additionally param -CApath stated in one more answers, but is does not functions for me.

Explanation:Error unable to gain local issuer certificate means, the the openssl go not recognize your root CA cert.

Note: If you have actually web server with an ext domains, perform not forget to include also -servername your.domain.net parameter. This parameter will "Set TLS expansion servername in ClientHello". There is no this parameter, the an answer will always contain the default SSL cert (not certificate, that complement to your domain).


Is her server configured for client authentication? If so you should pass the client certificate when connecting with the server.


I had the same trouble on OSX OpenSSL 1.0.1i native Macports, and likewise had to specify CApath as a workaround (and as discussed in the Ubuntu bug report, also an invalid CApath will certainly make openssl look at in the default directory). Interestingly, connecting to the very same server making use of PHP"s openssl features (as offered in PHPMailer 5) worked fine.

put her CA & source certificate in /usr/share/ca-certificate or /usr/local/share/ca-certificate.Then

dpkg-reconfigure ca-certificates

or even reinstall ca-certificate package v apt-get.

After act this your certificate is gathered into system"s DB:/etc/ssl/certs/ca-certificates.crt

Then whatever should be fine.

With client authentication:

openssl s_client -cert ./client-cert.pem -key ./client-key.key -CApath /etc/ssl/certs/ -connect foo.example.com:443
Create the certificate chain record with the intermediate and root ca.

cat intermediate/certs/intermediate.cert.pem certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pemchmod 444 intermediate/certs/ca-chain.cert.pemThen verfify

openssl verify -CAfile intermediate/certs/ca-chain.cert.pem intermediate/certs/www.example.com.cert.pemwww.example.com.cert.pem: OKDeploy the certific

I confronted the very same issue, It obtained fixed after keeping issuer subject value in the certificate as it is as subject of issuer certificate.

so please check "issuer topic value in the certificate(cert.pem) == topic of issuer (CA.pem)"

openssl verify -CAfile CA.pem cert.pem cert.pem: OK

this error messages method thatCABundle is not offered by (-CAfile ...) ORthe CABundle paper is not closed through a self-signed source certificate.

Don"t worry. The connection to server will certainly work also you get theis blog post from openssl s_client ... (assumed you dont take other mistake too)

Thanks for contributing response to ridge Overflow!

Please be certain to answer the question. Administer details and also share her research!

But avoid

Asking for help, clarification, or responding to various other answers.Making statements based upon opinion; ago them increase with referrals or personal experience.

See more: Look For The Girl With The Broken Smile, Maroon 5 Quote

To learn more, watch our advice on writing good answers.

post Your answer Discard

By click “Post her Answer”, girlfriend agree come our terms of service, privacy policy and also cookie plan

Not the price you're spring for? Browse other questions tagged openssl or ask your own question.

Adding a brand-new SSL certificate to settle Verify return code: 20 (unable to acquire local issuer certificate)?
site style / logo © 2021 stack Exchange Inc; user contributions licensed under cc by-sa. Rev2021.11.1.40614

her privacy

By click “Accept every cookies”, friend agree ridge Exchange have the right to store cookie on your machine and disclose info in accordance with our Cookie Policy.