openssl s_client -connect connect_to_site.com:443It gives me one digital certificate indigenous VeriSign, Inc., but additionally shoots the end an error:
Verify return code: 20 (unable to get local issuer certificate)What is the neighborhood issuer certificate? Is that a certificate from my own computer? Is over there a way around this? I have actually tried using -CAfile mozilla.pem paper but still provides me same error.
You are watching: Verify error:num=20:unable to get local issuer certificate
I had actually the very same problem and also solved that by passing path to a directory where CA keys are stored. Top top Ubuntu that was:
openssl s_client -CApath /etc/ssl/certs/ -connect address.com:443
This error additionally happens if you"re making use of a self-signed certificate with a keyUsage absent the value keyCertSign.
Solution:You have to explicitly include the parameter -CAfile your-ca-file.pem.
Note: ns tried additionally param -CApath stated in one more answers, but is does not functions for me.
Explanation:Error unable to gain local issuer certificate means, the the openssl go not recognize your root CA cert.
Note: If you have actually web server with an ext domains, perform not forget to include also -servername your.domain.net parameter. This parameter will "Set TLS expansion servername in ClientHello". There is no this parameter, the an answer will always contain the default SSL cert (not certificate, that complement to your domain).
Is her server configured for client authentication? If so you should pass the client certificate when connecting with the server.
I had the same trouble on OSX OpenSSL 1.0.1i native Macports, and likewise had to specify CApath as a workaround (and as discussed in the Ubuntu bug report, also an invalid CApath will certainly make openssl look at in the default directory). Interestingly, connecting to the very same server making use of PHP"s openssl features (as offered in PHPMailer 5) worked fine.
put her CA & source certificate in /usr/share/ca-certificate or /usr/local/share/ca-certificate.Then
or even reinstall ca-certificate package v apt-get.
After act this your certificate is gathered into system"s DB:/etc/ssl/certs/ca-certificates.crt
Then whatever should be fine.
With client authentication:
openssl s_client -cert ./client-cert.pem -key ./client-key.key -CApath /etc/ssl/certs/ -connect foo.example.com:443
Create the certificate chain record with the intermediate and root ca.
cat intermediate/certs/intermediate.cert.pem certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pemchmod 444 intermediate/certs/ca-chain.cert.pemThen verfify
openssl verify -CAfile intermediate/certs/ca-chain.cert.pem intermediate/certs/www.example.com.cert.pemwww.example.com.cert.pem: OKDeploy the certific
I confronted the very same issue, It obtained fixed after keeping issuer subject value in the certificate as it is as subject of issuer certificate.
so please check "issuer topic value in the certificate(cert.pem) == topic of issuer (CA.pem)"
openssl verify -CAfile CA.pem cert.pem cert.pem: OK
this error messages method thatCABundle is not offered by (-CAfile ...) ORthe CABundle paper is not closed through a self-signed source certificate.
Don"t worry. The connection to server will certainly work also you get theis blog post from openssl s_client ... (assumed you dont take other mistake too)
Thanks for contributing response to ridge Overflow!Please be certain to answer the question. Administer details and also share her research!
But avoid …Asking for help, clarification, or responding to various other answers.Making statements based upon opinion; ago them increase with referrals or personal experience.
See more: Look For The Girl With The Broken Smile, Maroon 5 Quote
To learn more, watch our advice on writing good answers.
post Your answer Discard
Not the price you're spring for? Browse other questions tagged openssl or ask your own question.
Adding a brand-new SSL certificate to settle Verify return code: 20 (unable to acquire local issuer certificate)?
site style / logo © 2021 stack Exchange Inc; user contributions licensed under cc by-sa. Rev2021.11.1.40614