[openssl-users] It reported verify error:num=20:unable to get local issuer certificate in my embedded linux device, when I used the openssl command

杨俊 yangjun9772 at gmail.com
Thu Dec 15 08:39:50 UTC 2016


 Hi Michael & opensslers,

> So: either there's more than one certificate in cacert-2016-11-02.pem, or
OpenSSL on the PC is searching its default CA certificate directory in
addition to cacert-2016-11-02.pem. Since we don't know what's > actually in
cacert-2016-11-02.pem, we can't provide much further help.

It seems there are many certificates in the cacert-2016-11-02.pem. A lot.
---------------------cacert-2016-11-02.pem------------

GlobalSign Root CA
==================
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

GlobalSign Root CA - R2
=======================
-----BEGIN CERTIFICATE-----
..
-----END CERTIFICATE-----

Verisign Class 3 Public Primary Certification Authority - G3
============================================================
-----BEGIN CERTIFICATE-----
....
-----END CERTIFICATE-----

Entrust.net Premium 2048 Secure Server CA
=========================================
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

Baltimore CyberTrust Root
=========================
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

......so on...........

--------------------------------------------------------------


> Note that if there are multiple certificates in cacert-2016-11-02.pem,
you'll have to split them up into separate files and create the correct
hash link for each one, if you want to use a certificate directory.

Should I need to do this? >"<
Because other people(in the internet) used this pem file, have no problem.
They didn't  separate it. And there are so many certificates.
And is this step right ?
1. /tmp # ./openssl x509 -hash -fingerprint -noout -in
/home/georgeyang/workspace/speech_code/openssl/openssl/final
/certs/cacert-2016-11-02.pem
     5ad8a5d6
     SHA1 Fingerprint=B1:BC:96:8B:D4:F4:9D:62:2A:A8:9A:81:F2:15:01:52:
A4:1D:82:9C
2. /etc/ssl/certs # ln -s /home/georgeyang/workspace/spe
ech_code/openssl/openssl/final/certs/cacert-2016-11-02.pem 5ad8a5d6.0
I will split them like this later.

> Did you actually capture that, or did you retype it? Because it's not
valid openssl x509 output. Note that it doesn't match what you reported
from the PC:
In the paltform, the openssl version is 1.1.0c.
And in my PC, the openssl version is 1.0.1f.
Today, I have rebuild the openssl1.0.1f for my paltform again.
Although it was still NG.
And the log is the same as the PC now:
/tmp # ./openssl x509 -subject -noout -in /home/georgeyang/workspace/
speech_code
/openssl/final/openssl/certs/cacert-2016-11-02.pem
subject= /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
/tmp #

Thank you very much
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20161215/937d5b8b/attachment.html>


More information about the openssl-users mailing list