OpenSSL unable to verify the first certificate for Experian URL

Question

I am trying to verify an SSL connection to Experian in Ubuntu 10 10 with OpenSSL client    openssl s client -CApath  etc ssl certs  -connect dm1 experian com 443   The problem is that the connection closes with a Verify return code  21  unable to verify the first certificate    I ve checked the certificate list  and the Certificate used to sign Experian  VeriSign Class 3 Secure Server CA - G3  is included in the list    etc ssl certs ca-certificates crt    Yet I don t know why it is not able to verify the first certificate  Thanks in advance   The entire response could be seen here  https   gist github com 1248790

User · Accepted Answer

The first error message is telling you more about the problem:

verify error:num=20:unable to get local issuer certificate

The issuing certificate authority of the end entity server certificate is

VeriSign Class 3 Secure Server CA - G3

Look closely in your CA file - you will not find this certificate since it is an intermediary CA - what you found was a similar-named G3 Public Primary CA of VeriSign.

But why does the other connection succeed, but this one doesn't? The problem is a misconfiguration of the servers (see for yourself using the -debug option). The "good" server sends the entire certificate chain during the handshake, therefore providing you with the necessary intermediate certificates.

But the server that is failing sends you only the end entity certificate, and OpenSSL is not capable of downloading the missing intermediate certificate "on the fly" (which would be possible by interpreting the Authority Information Access extension). Therefore your attempt fails using s_client but it would succeed nevertheless if you browse to the same URL using e.g. FireFox (which does support the "certificate discovery" feature).

Your options to solve the problem are either fixing this on the server side by making the server send the entire chain, too, or by passing the missing intermediate certificate to OpenSSL as a client-side parameter.

User · Answer

Adding additional information to emboss s answer    To put it simply  there is an incorrect cert in your certificate chain   For example  your certificate authority will have most likely given you 3 files    your domain name crt   DigiCertCA crt        Or whatever the name of your certificate authority is  TrustedRoot crt     You most likely combined all of these files into one bundle    -----BEGIN CERTIFICATE-----   Your Primary SSL certificate  your domain name crt   -----END CERTIFICATE-----  -----BEGIN CERTIFICATE-----   Your Intermediate certificate  DigiCertCA crt   -----END CERTIFICATE-----  -----BEGIN CERTIFICATE-----   Your Root certificate  TrustedRoot crt   -----END CERTIFICATE-----   If you create the bundle  but use an old  or an incorrect version of your Intermediate Cert  DigiCertCA crt in my example   you will get the exact symptoms you are describing    SSL connections appear to work from browser SSL connections fail from other clients Curl fails with error   curl   60  SSL certificate   unable to get local issuer certificate  openssl s client -connect gives error  verify error num 20 unable to get local issuer certificate    Redownload all certs from your certificate authority and make a fresh bundle

User · Answer

I came across the same issue installing my signed certificate on an Amazon Elastic Load Balancer instance   All seemed find via a browser  Chrome  but accessing the site via my java client produced the exception  javax net ssl SSLPeerUnverifiedException  What I had not done was provide a  certificate chain  file when installing my certificate on my ELB instance  see https   serverfault com questions 419432 install-ssl-on-amazon-elastic-load-balancer-with-godaddy-wildcard-certificate   We were only sent our signed public key from the signing authority so I had to create my own certificate chain file  Using my browser s certificate viewer panel I exported each certificate in the signing chain   The order of the certificate chain in important  see https   forums aws amazon com message jspa messageID 222086

User · Answer

Here is what you can do - Exim SSL certificates By default  the  etc exim conf will use the cert key files   etc exim cert  etc exim key  so if you re wondering where to set your files  that s where  They re controlled by the exim conf s options  tls certificate    etc exim cert tls privatekey    etc exim key  Intermediate Certificates If you have a CA Root certificate  ca bundle  chain  etc   you ll add the contents of your CA into the exim cert  after your actual certificate  Probably a good idea to make sure you have a copy of everything elsewhere in case you make an error  Dovecot and ProFtpd should also read it correctly  so dovecot no longer needs the ssl ca option  So for both cases  there is no need to make any changes to either the exim conf or dovecot conf  etc dovecot conf ssl conf

User · Answer

If you are using MacOS use   sudo cp  usr local etc openssl cert pem  etc ssl certs   after this Trust anchor not found error disappears

[ssl] OpenSSL: unable to verify the first certificate for Experian URL

Examples related to ssl

Examples related to certificate

Examples related to openssl