openssl s_client -connect connect_to_website.com:443It gives me an digital certificate from VeriSign, Inc., however also shoots out an error:
Verify rerotate code: 20 (unable to get neighborhood issuer certificate)What is the regional issuer certificate? Is that a certificate from my own computer? Is there a means roughly this? I have actually tried utilizing -CAfile mozilla.pem file however still provides me very same error.
You are watching: Verify error:num=20:unable to get local issuer certificate
I had actually the same difficulty and addressed it by passing route to a catalog where CA keys are stored. On Ubuntu it was:
openssl s_client -CAcourse /etc/ssl/certs/ -attach address.com:443
This error also happens if you"re making use of a self-signed certificate through a keyUsage missing the value keyCertSign.
Solution:You have to clearly add the parameter -CAfile your-ca-file.pem.
Note: I tried additionally param -CAroute mentioned in another answers, but is does not works for me.
Explanation:Error unable to obtain neighborhood issuer certificate suggests, that the openssl does not recognize your root CA cert.
Note: If you have actually internet server with even more domains, perform not forgain to add additionally -servername your.domajor.net parameter. This parameter will "Set TLS expansion servername in ClientHello". Without this parameter, the response will always contain the default SSL cert (not certificate, that match to your domain).
Is your server configured for client authentication? If so you have to pass the client certificate while connecting through the server.
I had actually the exact same trouble on OSX OpenSSL 1.0.1i from Macports, and likewise had actually to specify CAroute as a workapproximately (and as stated in the Ubuntu bug report, also an invalid CAcourse will certainly make openssl look in the default directory). Interestingly, connecting to the very same server utilizing PHP"s openssl attributes (as provided in PHPMailer 5) operated fine.
put your CA & root certificate in /usr/share/ca-certificate or /usr/local/share/ca-certificate.Then
or even reinstall ca-certificate package through apt-acquire.
After doing this your certificate is gathered into system"s DB:/etc/ssl/certs/ca-certificates.crt
Then every little thing need to be fine.
With client authentication:
openssl s_client -cert ./client-cert.pem -essential ./client-vital.key -CAroute /etc/ssl/certs/ -attach foo.instance.com:443
Create the certificate chain file through the intermediate and also root ca.
cat intermediate/certs/intermediate.cert.pem certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pemchmod 444 intermediate/certs/ca-chain.cert.pemThen verfify
openssl verify -CAfile intermediate/certs/ca-chain.cert.pem intermediate/certs/www.instance.com.cert.pemwww.example.com.cert.pem: OKDeploy the certific
I confronted the exact same concern, It gained addressed after keeping issuer topic value in the certificate as it is as topic of issuer certificate.
so please check "issuer topic value in the certificate(cert.pem) == subject of issuer (CA.pem)"
openssl verify -CAfile CA.pem cert.pem cert.pem: OK
this error messeras suggests thatCABundle is not given by (-CAfile ...) ORthe CABundle file is not closed by a self-signed root certificate.
Don"t issue. The connection to server will certainly work also you get theis message from openssl s_client ... (assumed you dont take other mistake too)
Thanks for contributing a response to Stack Overflow!Please be sure to answer the question. Provide details and share your research!
But avoid …Asking for assist, clarification, or responding to other answers.Making statements based on opinion; ago them up through referrals or individual experience.
See more: For Cis-1,3-Dimethylcyclohexane, Which Two Chair Conformations Are In Equilibrium?
To learn even more, check out our tips on writing great answers.
Blog post Your Answer Discard
Not the answer you're looking for? Browse various other questions tagged openssl or ask your very own question.
Adding a brand-new SSL certificate to solve Verify return code: 20 (unable to acquire neighborhood issuer certificate)?
website design / logo design © 2021 Stack Exchange Inc; user contributions licensed under cc by-sa. rev2021.9.10.40187