OpenSSL error 20: unable to get local issuer certificate
The problem was in my ssl.conf file in Apache. It was overriding the VirtualHost settings for the domain in httpd.conf, so I moved my VirtualHost settings into ssl.conf ahead of the default:443 VirtualHost entry. Doing this resolved my issue.
Thanks again to Shane Madden for all of the help on this issue.
Related videos on Youtube
chapkom
Updated on September 18, 2022Comments
-
chapkom almost 2 years
I'm trying to get a Network Solutions SSL to work and I'm not having much luck.
openssl verify gives me error 20 unable to get local issuer certificate
I've followed the directions here and here and copied the crt file and the Apache_Plesk_Install.txt file to the certs directory and I put the private key in the private directory. I've verified in openssl.cnf that I put the files in the proper directories.
I followed Nick Burch's guide to installing CA Certificates and have had no luck in resolving the issue.
If anyone can give me any ideas of what's going on, I would definitely appreciate it.
Platform CentOS 5.7 OpenSSL 0.9.8e-fips-rhel5
-
chapkom over 12 yearsNick Burch's guide can be found here.
-
ravi yarlagadda over 12 yearsIs Apache presenting the full certificate chain (
openssl s_client -showcerts
)? Does it work when you specify the trusted CA cert directly on the OpenSSL command line? -
chapkom over 12 yearsWhen I run openssl verify on the CA cert, it doesn't output anything. The process seems to hang.
-
ravi yarlagadda over 12 yearsCheck if it's a valid file?
openssl x509 -in /path/to/cert -noout -text
-
chapkom over 12 yearsopenssl x509 comes back with CA information for Network Solutions valid until May 30, 2020
-
ravi yarlagadda over 12 yearsOh - your
openssl verify
command was probably just waiting for input. What was the exact command that you ran? -
chapkom over 12 yearsI figured out why the process hung on openssl verify of the trusted CA cert. I needed to add the CA root cert to that directory. I'm still getting error 20 for the server SSL, though.
-
chapkom over 12 yearsNew info. When I run openssl verify -CApath /path/to/CA /path/to/cert my server certificate comes back ok. When I run openssl verify /path/to/cert I get error 20. That seems to indicate that openssl isn't using the CA path that I think it's using. I'm going to double check my openssl.cnf file.
-
ravi yarlagadda over 12 yearsWell, OpenSSL's trust really doesn't matter for getting the certificate working in Apache. What issues are you having with that (since the certs look perfectly valid)?
-
chapkom over 12 yearsThe domain keeps presenting a self-signed certificate that is assigned to localhost.localdomain instead of using the SSL I got from Network Solutions for my actual domain.
-
ravi yarlagadda over 12 yearsWhat does your Apache config for the site look like? And did you fully restart (not just reload) Apache after making the configuration changes?
-
chapkom over 12 yearsI did a full stop/start on Apache. Config options for SSL for the domain are as follows: SSLEngine on, SSLCertificateFile /absolute/path/to/cert, SSLCertificateKeyFile /absolute/path/to/key, SSLCertificateChainFile /absolute/path/to/file, SSLCACertificateFile /absolute/path/to/CA
-
ravi yarlagadda over 12 yearsIs there another SSL virtualhost in place elsewhere, perhaps? What's the output from
apache2ctl -S
? -
chapkom over 12 yearsThere is only one SSL virtual host in place right now. I did notice something strange in the output, though. My unsecured domains (port 80) all use the domain name as the default server. My secured domain uses the local FQDN as the default server. It seems to be using the default settings from the ssl.conf file for Apache instead of the settings I designated in the VirtualHost section of httpd.conf.
-
ravi yarlagadda over 12 yearsWhat's in ssl.conf?
-
chapkom over 12 yearsssl.conf has a default:443 entry with SSLCertificateFile /path/to/self-signed/cert and SSLCertificateKeyFile /path/to/self-signed/key. I haven't been able to figure out how to override those settings, though. Shouldn't the directives within httpd.conf have done that?
-
chapkom over 12 yearsOk. I moved the SSL directives from httpd.conf into a VirtualHost inside the ssl.conf file ahead of the default:443 VirtualHost and that seems to have cleared up the SSL issue. Shane, you have been an incredible help and I thank you greatly for taking this much time out of your day to assist me.
-
ravi yarlagadda over 12 yearsGreat! When the system allows you to, go ahead and put in an answer to the question and mark it as accepted, so that future searchers with the same issue can find it.
-