OpenSSL error 20: unable to get local issuer certificate

ssl centos5 openssl
8,402

The problem was in my ssl.conf file in Apache. It was overriding the VirtualHost settings for the domain in httpd.conf, so I moved my VirtualHost settings into ssl.conf ahead of the default:443 VirtualHost entry. Doing this resolved my issue.

Thanks again to Shane Madden for all of the help on this issue.

Share:
8,402

Related videos on Youtube

chapkom
Author by

chapkom

Updated on September 18, 2022

Comments

  • chapkom
    chapkom almost 2 years

    I'm trying to get a Network Solutions SSL to work and I'm not having much luck.

    openssl verify gives me error 20 unable to get local issuer certificate

    I've followed the directions here and here and copied the crt file and the Apache_Plesk_Install.txt file to the certs directory and I put the private key in the private directory. I've verified in openssl.cnf that I put the files in the proper directories.

    I followed Nick Burch's guide to installing CA Certificates and have had no luck in resolving the issue.

    If anyone can give me any ideas of what's going on, I would definitely appreciate it.

    Platform CentOS 5.7 OpenSSL 0.9.8e-fips-rhel5

    • chapkom
      chapkom over 12 years
      Nick Burch's guide can be found here.
    • ravi yarlagadda
      ravi yarlagadda over 12 years
      Is Apache presenting the full certificate chain (openssl s_client -showcerts)? Does it work when you specify the trusted CA cert directly on the OpenSSL command line?
    • chapkom
      chapkom over 12 years
      When I run openssl verify on the CA cert, it doesn't output anything. The process seems to hang.
    • ravi yarlagadda
      ravi yarlagadda over 12 years
      Check if it's a valid file? openssl x509 -in /path/to/cert -noout -text
    • chapkom
      chapkom over 12 years
      openssl x509 comes back with CA information for Network Solutions valid until May 30, 2020
    • ravi yarlagadda
      ravi yarlagadda over 12 years
      Oh - your openssl verify command was probably just waiting for input. What was the exact command that you ran?
    • chapkom
      chapkom over 12 years
      I figured out why the process hung on openssl verify of the trusted CA cert. I needed to add the CA root cert to that directory. I'm still getting error 20 for the server SSL, though.
    • chapkom
      chapkom over 12 years
      New info. When I run openssl verify -CApath /path/to/CA /path/to/cert my server certificate comes back ok. When I run openssl verify /path/to/cert I get error 20. That seems to indicate that openssl isn't using the CA path that I think it's using. I'm going to double check my openssl.cnf file.
    • ravi yarlagadda
      ravi yarlagadda over 12 years
      Well, OpenSSL's trust really doesn't matter for getting the certificate working in Apache. What issues are you having with that (since the certs look perfectly valid)?
    • chapkom
      chapkom over 12 years
      The domain keeps presenting a self-signed certificate that is assigned to localhost.localdomain instead of using the SSL I got from Network Solutions for my actual domain.
    • ravi yarlagadda
      ravi yarlagadda over 12 years
      What does your Apache config for the site look like? And did you fully restart (not just reload) Apache after making the configuration changes?
    • chapkom
      chapkom over 12 years
      I did a full stop/start on Apache. Config options for SSL for the domain are as follows: SSLEngine on, SSLCertificateFile /absolute/path/to/cert, SSLCertificateKeyFile /absolute/path/to/key, SSLCertificateChainFile /absolute/path/to/file, SSLCACertificateFile /absolute/path/to/CA
    • ravi yarlagadda
      ravi yarlagadda over 12 years
      Is there another SSL virtualhost in place elsewhere, perhaps? What's the output from apache2ctl -S?
    • chapkom
      chapkom over 12 years
      There is only one SSL virtual host in place right now. I did notice something strange in the output, though. My unsecured domains (port 80) all use the domain name as the default server. My secured domain uses the local FQDN as the default server. It seems to be using the default settings from the ssl.conf file for Apache instead of the settings I designated in the VirtualHost section of httpd.conf.
    • ravi yarlagadda
      ravi yarlagadda over 12 years
      What's in ssl.conf?
    • chapkom
      chapkom over 12 years
      ssl.conf has a default:443 entry with SSLCertificateFile /path/to/self-signed/cert and SSLCertificateKeyFile /path/to/self-signed/key. I haven't been able to figure out how to override those settings, though. Shouldn't the directives within httpd.conf have done that?
    • chapkom
      chapkom over 12 years
      Ok. I moved the SSL directives from httpd.conf into a VirtualHost inside the ssl.conf file ahead of the default:443 VirtualHost and that seems to have cleared up the SSL issue. Shane, you have been an incredible help and I thank you greatly for taking this much time out of your day to assist me.
    • ravi yarlagadda
      ravi yarlagadda over 12 years
      Great! When the system allows you to, go ahead and put in an answer to the question and mark it as accepted, so that future searchers with the same issue can find it.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Centos 5.11 OpenSSL TLS 1.2 for Paypal
Cannot connect to wss with Flutter
Composer -- > error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
python3 and requests: still getting 'sslv3 alert handshake failure'
LetsEncrypt SSL Error - SSL routines:ssl3_get_record:wrong version number
Laravel Guzzle : curl error 77 error setting certificate verify locations
Apache 2.4.37 with openssl 1.1.1: cannot perform post-handshake authentication
The identity of this website has not been verified for openssl
OpenSSL identify reason for "bad certificate"
ssl SSLError outines:SSL_CTX_use_certificate_chain_file:PEM lib