How to fix "OpenSSL failed - error:0A000086:SSL routines::certificate verify failed"

Viktor Dukhovni openssl-users at dukhovni.org
Fri Dec 16 23:38:10 UTC 2022


On Fri, Dec 16, 2022 at 05:07:51PM -0500, Pierre-Luc Boily wrote:

>    1. I have a React front end using wss to communicate to my https nodejs
>    server. *It works ->* *This confirms that my key and certificate are
>    valid.*

But it does not confirm that the server sent a "full" certificate chain,
with all the required intermediate certificates.  It also does not
confirm that you've set the correct peer hostname in the OpenSSL case
(if you don't set the hostname at all, your connection is insecure).

> So, I had to dig into the OpenSSL code and I found where the error is
> triggered, see code below.  In my case *s->verify_mode* is equal to
> *SSL_VERIFY_PEER* and *i* equal to *0* and I don't know if those values are
> OK or not.

OpenSSL failed to validat the certificate chain, it could be missing
intermediate certificates (from the server), or the wrong expected peer
hostname specified on the client end.  It could also be related to SNI,
some servers return different certificates depending on what SNI name
is signalled by the client.

So double-check that the server certificate chain is complete (includes
all intermediate CA certificates) optionally apart from a root CA (trust
anchor) configured on the client.

Then ensure that the client application correctly sets the SNI extension
and the expected peer hostname to check in the server certificate.

-- 
    Viktor.


More information about the openssl-users mailing list