lost and found ( for me ? )

openssl s_client : verify error:num=20:unable to get local issuer certificate

small tips.

Here’s how to solve an error “verify error:num=20:unable to get local issuer certificate” when connecting to HTTPS sites with “openssl s_client” command.

# openssl s_client -connect google.com:443
CONNECTED(00000003)
depth=1 C = US, O = Google Inc, CN = Google Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
  i:/C=US/O=Google Inc/CN=Google Internet Authority
1 s:/C=US/O=Google Inc/CN=Google Internet Authority
  i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority


There are two ways to solve this.

  1. specify server certification file

create a file pasted from “-----BEGIN CERTIFICATE-----“ to “-----END CERTIFICATE-----
# cat google.crt
-----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----

specify the file by -Cafile option.
# openssl s_client -CAfile google.crt -connect www.google.com:443 -debug -showcerts
CONNECTED(00000003)
write to 0x1944250 [0x196b780] (226 bytes => 226 (0xE2))
0000 - 16 03 01 00 dd 01 00 00-d9 03 02 51 42 cb 45 7a   ...........QB.Ez
0010 - 10 cc 75 53 74 bc 61 6e-29 98 28 64 30 23 69 d7   ..uSt.an).(d0#i.
0020 - 76 8e 16 2b 58 ec 93 76-62 4a 82 00 00 66 c0 14   v..+X..vbJ...f..
<snip>
   0050 - f6 69 67 d4 a0 c0 9c d1-8e fb c2 e7 ea a3 a6 d6   .ig.............
   0060 - d4 48 fa 77 9a d7 24 09-49 e9 8b 7d f4 de ad 2d   .H.w..$.I..}...-
   0070 - d5 ac a7 a7 c6 4d f5 07-bc bd 08 a5 cf 97 02 91   .....M..........
   0080 - e5 41 df 87 a9 df 93 df-86 af f6 38 e7 46 c3 b3   .A.........8.F..
   0090 - 98 63 60 df                                       .c`.

   Start Time: 1363331909
   Timeout   : 300 (sec)
   Verify return code: 0 (ok)
---
GET / HTTP/1.0
write to 0x1944250 [0x1975233] (40 bytes => 40 (0x28))
0000 - 17 03 02 00 23 15 22 62-d2 f3 45 c2 7d 0a 6d 04   ....#."b..E.}.m.
0010 - 28 b9 01 ad dd 57 46 30-78 f6 75 04 e7 4a cf 4b   (....WF0x.u..J.K
<snip>
#


  1. specify root ca certification file

In case of ubuntu 12.04 , ca cert file is located under /etc/ssl/certs/ca-certificates.crt
The file name and the location of CA cert file might differ from distributions or versions.
root@ubuntu1204-vm1:~# update-ca-certificates
Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....done.

root@ubuntu1204-vm1:~# updatedb

root@ubuntu1204-vm1:~# locate ca-certificates.crt
/etc/ssl/certs/ca-certificates.crt


specify CA cert file.
root@ubuntu1204-vm1:~# openssl s_client -CAfile /etc/ssl/certs/ca-certificates.c
rt -connect www.google.com:443 -debug -showcerts
CONNECTED(00000003)
write to 0x2309250 [0x2330780] (226 bytes => 226 (0xE2))

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.