[openssl-dev] [openssl.org #4510] SSL certificate problem: unable to get local issuer certificate. Bug?

Douglas E Engert deengert at gmail.com
Sat May 7 14:14:33 UTC 2016 

The one that fails is using the default CAfile and CApath The ones that work specify
-CAfile C:\xampp\php\cacert.pem
Maybe the default locations are out of date?
Also  CApath "This directory must be in "hash format""
Are the hashes correct?

On 5/7/2016 8:37 AM, Stephen Henson via RT wrote:
> On Fri May 06 22:37:55 2016, nbhfgq at gmail.com wrote:
>> Hello Steve,
>>
>> *If I do not indicate the location of the cert*
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>
>>> PS C:\OpenSSL-Win32\bin> .\openssl s_client -connect
>>> www.googleapis.com:443
>>> CONNECTED(00000088)
>>> depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
>>> verify error:num=20:unable to get local issuer certificate
>>> ---
>
> OK we get an error above which is expected.
>
>>> Verify return code: 20 (unable to get local issuer certificate)
>>
>
> And confirmed above.
>
>>
>> *I point to the the newest cert*
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>
>>> PS C:\OpenSSL-Win32\bin> .\openssl s_client -CAfile
>>> 'C:\xampp\php\cacert.pem' -connect www.googleapis.com:443
>>> CONNECTED(000000D8)
>>> depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
>>> verify return:1
>>> depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
>>> verify return:1
>>> depth=0 C = US, ST = California, L = Mountain View, O = Google Inc,
>>> CN = *.
>>> googleapis.com
>>> verify return:1
>
> No error.
>
>>> Verify return code: 0 (ok)
>>
>
> And similarly above no error.
>
>>
>> *When I point to the old cert*
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>
>>> PS C:\OpenSSL-Win32\bin> .\openssl s_client -CAfile
>>> 'C:\xampp\php\cacert_old.pem' -connect www.googleapis.com:443
>>> CONNECTED(00000140)
>>> depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate
>>> Authority
>>> verify return:1
>>> depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
>>> verify return:1
>>> depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
>>> verify return:1
>>> depth=0 C = US, ST = California, L = Mountain View, O = Google Inc,
>>> CN = *.
>>> googleapis.com
>>> verify return:1
>
> Again no error.
>
>>> Verify return code: 0 (ok)
>>>
>>>
>>
>
> And again confirmed above.
>
> It looks like with s_client it is working in both the old and new cases.
>
> So I'm not sure what the problem is: it doesn't seem to be an issue with
> OpenSSL though.
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
>

-- 

  Douglas E. Engert  <DEEngert at gmail.com>

More information about the openssl-dev mailing list