OpenSSL not picking up CAs in certs folder by default
Please try using -CAfile
instead of -CApath
and point to the single concatenated CA certificates file. E.g.:
openssl s_client -connect secure.ogone.com:443 -showcerts \
-CAfile /etc/ssl/certs/ca-certificates.crt
This works for me, showing verify return:1
and a full certificate chain.
Background information: This /etc/ssl/certs/ca-certificates.crt
is managed by the update-ca-certificates
command, simply concatenating all system-wide installed certificates, including those manually installed in /usr/local/share/ca-certificates/
.
Related videos on Youtube
gertvdijk
FOSS enthousiast, Developer, Debian GNU/Linux (and Ubuntu) user, DevOps with Ansible/Pupppet powers, Coding in C/C++/Python. Keywords: Linux, KVM/Libvirt, Kubernetes, Ansible, Docker, Python, a bit of C/C++/Kotlin, Debian, Ubuntu, Apache, Kopano, Postfix, MySQL, PostgreSQL, Kafka, security, KDE, SSL/TLS. Every now and then I'll write an article on those topics my blog. Other sites I'm active on: Launchpad, Tweakers.net, Twitter, LinkedIn
Updated on September 18, 2022Comments
-
gertvdijk over 1 year
On Ubuntu 12.04 LTS, I am getting error for certificate validation error if the CApath is not explicitly set
Tried several solution. But nothing works. It is causing so much of issue to install new packages on my system (tried at least on two system)
Successful command:
openssl s_client -connect secure.ogone.com:443 -showcerts -CApath /etc/ssl/certs/ Success with Verify return code: 0 (ok)
Unsuccessful command
openssl s_client -connect secure.ogone.com:443 -showcerts Failed with Verify return code: 20 (unable to get local issuer certificate)
I tried following solution based on the wiki responses but it is also not working
openssl x509 -noout -hash -in /etc/ssl/certs/GeoTrust_Global_CA.pem 2c543cd1 openssl x509 -noout -subject_hash_old -in /etc/ssl/certs/GeoTrust_Global_CA.pem 7999be0d openssl x509 -noout -subject_hash -in /etc/ssl/certs/GeoTrust_Global_CA.pem 2c543cd1
I can see the difference in hash values
I tried adding a script to create symbolic link with
-subject_hash_old
and-subject_hash
.But the problem continues to happen and I get the error code
Verify return code: 20 (unable to get local issuer certificate)
.#!/bin/sh Create following script to create symbolic links in /etc/ssl/certs Link with subject_hash_old and subject_hash is successfully created for FILE in /etc/ssl/certs/*.pem do hasholdsub=`openssl x509 -noout -subject_hash_old -in $FILE` hashsub=`openssl x509 -noout -subject_hash -in $FILE` echo $hasholdsub $hashsub ln -s $FILE $hasholdsub.0 ln -s $FILE $hashsub.0 cat $FILE >> ca-certificats-gen.crt done
But this problem is still existing
Please help to resolve the issue.