openssl unable to get local issuer certificate debian
Solution 1
You need to specify the CA cert in order to verify the issued cert since it's obviously not included in the pem (though this would be possible):
openssl verify -CAfile your_ca_cert_file cert.pem
If you do not get the error on centOS then there's the CA cert around and openssl can use it to successfully verify cert.pem
Solution 2
You need to make your CA trusted on the server. For example, if your cert is from goadday, run the following commands.
cd /tmp
sudo wget -O gd_intermediate.crt https://certs.godaddy.com/repository/gd_intermediate.crt
sudo cp /tmp/gd_intermediate.crt /usr/local/share/ca-certificates/gd_intermediate.crt
sudo update-ca-certificates
After running these commands, your certificate should be verified.
openssl verify cert.pem
0chi0
Updated on July 09, 2022Comments
-
0chi0 almost 2 years
I can not verify the certificate by openssl
openssl verify cert.pem
Gets something like this:
cert.pem: / C = PL / O = DATA
error 20 at 0 depth lookup: unable to get local issuer certificateThe same cert from the machine on Centos - verified correctly.
Debian: squeeze / sid
Is it a problem with the CA ROOT? Update openssl help?
-
0chi0 over 9 yearsThx for replay. If I understood: - From the Debian done command: openssl verify -CAfile ca-bundle.crt cert.pem where: - Ca-bundle.crt - ROOT CA of the certificate issuer (Unizeto / Certum - Poland) - Cert.pem - certificate obtained from the issuer (Unizeto / Certum - Poland) The result - test performed on a Debian system: openssl verify -CAfile bundle.crt ca-cert.pem cert.pem: OK openssl verify cert.pem cert.pem: / C = PL / O = data... error 20 at 0 depth lookup: unable to get local issuer certificate How to do that without indicating ca-bundle.crt - my certificate has a status of OK?
-
Tyler Crompton about 9 yearsYou should not use wget to download certificates. There are known weaknesses with wget. A viable alternative is curl. I'm too lazy to provide a link though.
-
lm713 over 8 yearsYou can also set and export the environment variables SSL_CERT_FILE or SSL_CERT_DIR...
export SSL_CERT_FILE=/path/to/ca_bundle.crt
orexport SSL_CERT_DIR=/path/to/ca/dir
Then you do not have to specify CAfile or CApath in every openssl command.