[openssl-dev] [openssl.org #4510] SSL certificate problem: unable to get local issuer certificate. Bug?
Stephen Henson via RT
rt at openssl.org
Sat May 7 13:37:53 UTC 2016
On Fri May 06 22:37:55 2016, nbhfgq at gmail.com wrote:
> Hello Steve,
>
> *If I do not indicate the location of the cert*
> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>
> > PS C:\OpenSSL-Win32\bin> .\openssl s_client -connect
> > www.googleapis.com:443
> > CONNECTED(00000088)
> > depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
> > verify error:num=20:unable to get local issuer certificate
> > ---
OK we get an error above which is expected.
> > Verify return code: 20 (unable to get local issuer certificate)
>
And confirmed above.
>
> *I point to the the newest cert*
> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>
> > PS C:\OpenSSL-Win32\bin> .\openssl s_client -CAfile
> > 'C:\xampp\php\cacert.pem' -connect www.googleapis.com:443
> > CONNECTED(000000D8)
> > depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
> > verify return:1
> > depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
> > verify return:1
> > depth=0 C = US, ST = California, L = Mountain View, O = Google Inc,
> > CN = *.
> > googleapis.com
> > verify return:1
No error.
> > Verify return code: 0 (ok)
>
And similarly above no error.
>
> *When I point to the old cert*
> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>
> > PS C:\OpenSSL-Win32\bin> .\openssl s_client -CAfile
> > 'C:\xampp\php\cacert_old.pem' -connect www.googleapis.com:443
> > CONNECTED(00000140)
> > depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate
> > Authority
> > verify return:1
> > depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
> > verify return:1
> > depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
> > verify return:1
> > depth=0 C = US, ST = California, L = Mountain View, O = Google Inc,
> > CN = *.
> > googleapis.com
> > verify return:1
Again no error.
> > Verify return code: 0 (ok)
> >
> >
>
And again confirmed above.
It looks like with s_client it is working in both the old and new cases.
So I'm not sure what the problem is: it doesn't seem to be an issue with
OpenSSL though.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4510
Please log in as guest with password guest if prompted
More information about the openssl-dev
mailing list