openssl unable to get local issuer certificate debian

apache ssl openssl ssl-certificate
75,105

Solution 1

You need to specify the CA cert in order to verify the issued cert since it's obviously not included in the pem (though this would be possible):

openssl verify -CAfile your_ca_cert_file cert.pem

If you do not get the error on centOS then there's the CA cert around and openssl can use it to successfully verify cert.pem

Solution 2

You need to make your CA trusted on the server. For example, if your cert is from goadday, run the following commands.

cd /tmp
sudo wget -O gd_intermediate.crt https://certs.godaddy.com/repository/gd_intermediate.crt
sudo cp /tmp/gd_intermediate.crt /usr/local/share/ca-certificates/gd_intermediate.crt
sudo update-ca-certificates

After running these commands, your certificate should be verified.

openssl verify cert.pem
Share:
75,105
0chi0
Author by

0chi0

Updated on July 09, 2022

Comments

  • 0chi0
    0chi0 almost 2 years

    I can not verify the certificate by openssl 

    openssl verify cert.pem

    Gets something like this:

    cert.pem: / C = PL / O = DATA
    error 20 at 0 depth lookup: unable to get local issuer certificate

    The same cert from the machine on Centos - verified correctly.

    Debian: squeeze / sid

    Is it a problem with the CA ROOT? Update openssl help?

  • 0chi0
    0chi0 over 9 years
    Thx for replay. If I understood: - From the Debian done command: openssl verify -CAfile ca-bundle.crt cert.pem where: - Ca-bundle.crt - ROOT CA of the certificate issuer (Unizeto / Certum - Poland) - Cert.pem - certificate obtained from the issuer (Unizeto / Certum - Poland) The result - test performed on a Debian system: openssl verify -CAfile bundle.crt ca-cert.pem cert.pem: OK openssl verify cert.pem cert.pem: / C = PL / O = data... error 20 at 0 depth lookup: unable to get local issuer certificate How to do that without indicating ca-bundle.crt - my certificate has a status of OK?
  • Tyler Crompton
    Tyler Crompton about 9 years
    You should not use wget to download certificates. There are known weaknesses with wget. A viable alternative is curl. I'm too lazy to provide a link though.
  • lm713
    lm713 over 8 years
    You can also set and export the environment variables SSL_CERT_FILE or SSL_CERT_DIR... export SSL_CERT_FILE=/path/to/ca_bundle.crt or export SSL_CERT_DIR=/path/to/ca/dir Then you do not have to specify CAfile or CApath in every openssl command.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Invalid CA certificate with self signed certificate chain
https: Apache TLS renegotiation: Debian, Apache2, openssl. How to?
Error while creating self-signed SSL certificate
Apache 2.4.37 with openssl 1.1.1: cannot perform post-handshake authentication
LetsEncrypt SSL Error - SSL routines:ssl3_get_record:wrong version number
Is it possible to have a valid sub-subdomain with a wildcard certificate?
How can the SSL client validate the server's certificate?
SSL certificate not accepted
How to create an OpenSSL Self-Signed Certificate using SAN?
How can I do an SSL connection with PHP