[SLL] unable to get local issuer certificate

Jeremy C. Reed reed at reedmedia.net
Thu Oct 25 10:08:50 PDT 2007 

On Thu, 25 Oct 2007, Mark Foster wrote:

> Jeremy C. Reed wrote:
> > Any ideas on what is wrong? Am I supposed to be also serving the Thawte 
> > Premium Server Certificate? Is it supposed to be appended to my 
> > SSLCertificateKeyFile or something?

> Hi Jeremy.
> I have found the following command useful in troubleshooting certificate
> verification issues.
> openssl s_client -connect serverhostname:443 -showcerts
> 
> According to my research Thawte isn't using an intermediate CA, so you
> shouldn't be encountering a chaining issue where an intermediate CA cert
> needs be  specified using the SSLCertificateChainFile directive.
> 
> Anyway run the command above and you can examine the chains to validate
> by hand.
> You can probably safely post the output to the list for further help.

Hi Mark,

Thanks for the info. I see it looks like the customer's certificate has 
the problems. I see:

 verify error:num=20:unable to get local issuer certificate

 verify error:num=27:certificate not trusted

 verify error:num=21:unable to verify the first certificate

(I thawte^H^H^H^Hought it was a problem with Thawte.)

The output is below. I removed the company's details.

depth=0 /C=US/ST=California/L=Some Town/O=Example, Inc./CN=secure.example.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=California/L=Some Town/O=Example, Inc./CN=secure.example.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=California/L=Some Town/O=Example, Inc./CN=secure.example.com
verify error:num=21:unable to verify the first certificate
verify return:1
CONNECTED(00000003)
---
Certificate chain
 0 s:/C=US/ST=California/L=Some Town/O=Example, Inc./CN=secure.example.com
   i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server at thawte.com
-----BEGIN CERTIFICATE-----
....
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=Some Town/O=Example, Inc./CN=secure.example.com
issuer=/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server at thawte.com
---
No client certificate CA names sent
---
SSL handshake has read 1446 bytes and written 322 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: C35FCD03D80EEE74309AB190B45476BB784174E57F36D6447C93807811EF5ECF
    Session-ID-ctx: 
    Master-Key: 5F3F8C23FEB0C73CF5AB99DAA5ED29B582A791CE4D7ADD4D35A605A961E57159B37B6AEA9641AECD2FA926390982E112
    Key-Arg   : None
    Start Time: 1193331617
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
closed

(I pressed "Enter" and it printed "closed".)


  Jeremy C. Reed

More information about the linux-list mailing list