[SLL] unable to get local issuer certificate
Jeremy C. Reed
reed at reedmedia.net
Thu Oct 25 10:34:44 PDT 2007
It was suggested off-list for me to try a copy of Thawte's cert and
include it via SSLCertificateChainFile. (Thanks Brian.)
I had a copy of it in my ca-bundle.crt file. So I got it out and put it in
the SSLCertificateChainFile file (and uncommented that and restarted
apache).
Now the "unable to get local issuer certificate" problem is gone.
And "openssl s_client -connect .... -showcerts" output removes the
complaints about it and adds:
depth=1 /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
cc/OU=Certification Services Division/CN=Thawte Premium Server
CA/emailAddress=premium-server at thawte.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
And Thawte's certificate.
And lynx complains:
SSL error:self signed certificate in certificate chain-Continue? (y)
And wget complains:
ERROR: Certificate verification error for secure.podbridge.com:
self signed certificate in certificate chain
No complaint from firefox for me. (I will ask my customer to test in
MSIE.)
By the way, wget and lynx both complain the same for me when going to
https://www.verisign.com/support/roots.html (which provides certs for
thawte).
And "openssl s_client -connect www.verisign.com:443 -showcerts" for me
shows:
depth=3 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
Authority
verify error:num=19:self signed certificate in certificate chain
I am guessing that problem is because I don't have the CA details setup
when using openssl (via lynx and wget) and it won't matter for my customer
using MSIE.
More information about the linux-list
mailing list