OpenSSL Verify return code 20 unable to get local issuer certificate

Question

I am running Windows Vista and am attempting to connect via https to upload a file in a multi part form but I am having some trouble with the local issuer certificate  I am just trying to figure out why this isnt working now  and go back to my cURL code later after this is worked out  Im running the command   openssl s client -connect connect to site com 443   It gives me an digital certificate from VeriSign  Inc   but also shoots out an error   Verify return code  20  unable to get local issuer certificate    What is the local issuer certificate  Is that a certificate from my own computer  Is there a way around this  I have tried using -CAfile mozilla pem file but still gives me same error

User · Answer

this error messages means that CABundle is not given by (-CAfile ...) OR the CABundle file is not closed by a self-signed root certificate.

Don't worry. The connection to server will work even you get theis message from openssl s_client ... (assumed you dont take other mistake too)

User · Answer

put your CA  amp  root certificate in  usr share ca-certificate or  usr local share ca-certificate  Then   dpkg-reconfigure ca-certificates  or even reinstall ca-certificate package with apt-get   After doing this your certificate is collected into system s DB   etc ssl certs ca-certificates crt  Then everything should be fine

User · Answer

I had the same problem on OSX OpenSSL 1 0 1i from Macports  and also had to specify CApath as a workaround  and as mentioned in the Ubuntu bug report  even an invalid CApath will make openssl look in the default directory    Interestingly  connecting to the same server using PHP s openssl functions  as used in PHPMailer 5  worked fine

User · Answer

Solution  You must explicitly add the parameter -CAfile your-ca-file pem   Note  I tried also param -CApath mentioned in another answers  but is does not works for me   Explanation  Error unable to get local issuer certificate means  that the openssl does not know your root CA cert     Note  If you have web server with more domains  do not forget to add also -servername your domain net parameter  This parameter will  Set TLS extension servername in ClientHello   Without this parameter  the response will always contain the default SSL cert  not certificate  that match to your domain

User · Answer

Create the certificate chain file with the intermediate and root ca   cat intermediate certs intermediate cert pem certs ca cert pem  gt  intermediate certs ca-chain cert pem  chmod 444 intermediate certs ca-chain cert pem   Then verfify  openssl verify -CAfile intermediate certs ca-chain cert pem     intermediate certs www example com cert pem   www example com cert pem  OK Deploy the certific

User · Answer

Is your server configured for client authentication  If so you need to pass the client certificate while connecting with the server

User · Answer

With client authentication   openssl s client -cert   client-cert pem -key   client-key key -CApath  etc ssl certs  -connect foo example com 443

User · Answer

This error also happens if you re using a self-signed certificate with a keyUsage missing the value keyCertSign

User · Answer

I faced the same issue   It got fixed after keeping issuer subject value in the certificate as it is as subject of issuer certificate   so please check  issuer subject value in the certificate cert pem     subject of issuer  CA pem       openssl verify  -CAfile CA pem  cert pem    cert pem  OK

User · Answer

I had the same problem and solved it by passing path to a directory where CA keys are stored  On Ubuntu it was   openssl s client -CApath  etc ssl certs  -connect address com 443

[openssl] OpenSSL Verify return code: 20 (unable to get local issuer certificate)

Examples related to openssl