I am running Windows Vista and am attempting to affix via https to upload a file in a multi part form but I am having actually some trouble via the regional issuer certificate. I am just trying to figure out why this isnt working currently, and also go ago to my cURL code later after this is worked out. Im running the command:

openssl s_client -connect connect_to_website.com:443It gives me an digital certificate from VeriSign, Inc., however also shoots out an error:

Verify rerotate code: 20 (unable to get neighborhood issuer certificate)What is the regional issuer certificate? Is that a certificate from my own computer? Is there a means roughly this? I have actually tried utilizing -CAfile mozilla.pem file however still provides me very same error.

You are watching: Verify error:num=20:unable to get local issuer certificate


I had actually the same difficulty and addressed it by passing route to a catalog where CA keys are stored. On Ubuntu it was:

openssl s_client -CAcourse /etc/ssl/certs/ -attach address.com:443


This error also happens if you"re making use of a self-signed certificate through a keyUsage missing the value keyCertSign.


Solution:You have to clearly add the parameter -CAfile your-ca-file.pem.

Note: I tried additionally param -CAroute mentioned in another answers, but is does not works for me.

Explanation:Error unable to obtain neighborhood issuer certificate suggests, that the openssl does not recognize your root CA cert.

Note: If you have actually internet server with even more domains, perform not forgain to add additionally -servername your.domajor.net parameter. This parameter will "Set TLS expansion servername in ClientHello". Without this parameter, the response will always contain the default SSL cert (not certificate, that match to your domain).


Is your server configured for client authentication? If so you have to pass the client certificate while connecting through the server.


I had actually the exact same trouble on OSX OpenSSL 1.0.1i from Macports, and likewise had actually to specify CAroute as a workapproximately (and as stated in the Ubuntu bug report, also an invalid CAcourse will certainly make openssl look in the default directory). Interestingly, connecting to the very same server utilizing PHP"s openssl attributes (as provided in PHPMailer 5) operated fine.

put your CA & root certificate in /usr/share/ca-certificate or /usr/local/share/ca-certificate.Then

dpkg-reconfigure ca-certificates

or even reinstall ca-certificate package through apt-acquire.

After doing this your certificate is gathered into system"s DB:/etc/ssl/certs/ca-certificates.crt

Then every little thing need to be fine.

With client authentication:

openssl s_client -cert ./client-cert.pem -essential ./client-vital.key -CAroute /etc/ssl/certs/ -attach foo.instance.com:443
Create the certificate chain file through the intermediate and also root ca.

cat intermediate/certs/intermediate.cert.pem certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pemchmod 444 intermediate/certs/ca-chain.cert.pemThen verfify

openssl verify -CAfile intermediate/certs/ca-chain.cert.pem intermediate/certs/www.instance.com.cert.pemwww.example.com.cert.pem: OKDeploy the certific

I confronted the exact same concern, It gained addressed after keeping issuer topic value in the certificate as it is as topic of issuer certificate.

so please check "issuer topic value in the certificate(cert.pem) == subject of issuer (CA.pem)"

openssl verify -CAfile CA.pem cert.pem cert.pem: OK

this error messeras suggests thatCABundle is not given by (-CAfile ...) ORthe CABundle file is not closed by a self-signed root certificate.

Don"t issue. The connection to server will certainly work also you get theis message from openssl s_client ... (assumed you dont take other mistake too)

Thanks for contributing a response to Stack Overflow!

Please be sure to answer the question. Provide details and share your research!

But avoid

Asking for assist, clarification, or responding to other answers.Making statements based on opinion; ago them up through referrals or individual experience.

See more: For Cis-1,3-Dimethylcyclohexane, Which Two Chair Conformations Are In Equilibrium?

To learn even more, check out our tips on writing great answers.

Blog post Your Answer Discard

By clicking “Blog post Your Answer”, you agree to our terms of business, privacy plan and cookie policy

Not the answer you're looking for? Browse various other questions tagged openssl or ask your very own question.

Adding a brand-new SSL certificate to solve Verify return code: 20 (unable to acquire neighborhood issuer certificate)?
website design / logo design © 2021 Stack Exchange Inc; user contributions licensed under cc by-sa. rev2021.9.10.40187

Your privacy

By clicking “Accept all cookies”, you agree Stack Exreadjust have the right to keep cookies on your gadget and disclose indevelopment in accordance through our Cookie Policy.