[openssl-users] It reported verify error:num=20:unable to get local issuer certificate in my embedded linux device, when I used the openssl command

杨俊 yangjun9772 at gmail.com
Wed Dec 14 07:30:26 UTC 2016 

Hi openssl-er,

I'm newbie in the openssl.
Recently, I ported the openssl to my embedded linux device and ran the
openssl command.
But there was an error occured.
I had done google search a lot, but I didn't find the answer.
My issue is strange, my test steps like below:
1. copy the openssl, libs, cacert.pem to the embedded linux platform.

2. run the command:
/tmp #:./openssl s_client -connect curl.haxx.se:443 -CAfile /tmp/cacert.pem

3. the error log is
------log ----------------
CONNECTED(00000003)
depth=0 CN = anja.haxx.se
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = anja.haxx.se
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=anja.haxx.se
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
----------------------------------

4. my openssl version -d and version is
/tmp # ./openssl version
OpenSSL 1.1.0c  10 Nov 2016
/tmp # ./openssl version -d
OPENSSLDIR: "/home/georgeyang/workspace/speech_code/openssl/openssl/final"

5. In my PC, I found this command worked well. It could return the ok value.
Although the openssl version is 1.0.1f.
So I think my cacert.pem is right.

6. I also used other command like:
/tmp # ./openssl s_client -connect curl.haxx.se:443 -CApath /tmp/cacert.pem
/tmp # ./openssl s_client -CApath
/home/georgeyang/workspace/speech_code/openssl/openssl/final/ -connect
curl.haxx.se:443
/tmp # ./openssl s_client -connect curl.haxx.se:443 -servername curl.haxx.se
-key /etc/ssl/private/ssl-cert-snakeoil.key -CAfile
/etc/ssl/certs/cacert.pem
But they are all NG.

In google, they all said -CAfile or -CApath could help, But it doesn't work
for me. >"<
Please help

Thx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20161214/6ba9e94c/attachment-0001.html>

More information about the openssl-users mailing list