[openssl-users] It reported verify error:num=20:unable to get local issuer certificate in my embedded linux device, when I used the openssl command

Jakob Bohm jb-openssl at wisemo.com
Wed Dec 14 07:51:14 UTC 2016

On 14/12/2016 08:30, 杨俊 wrote:
> Hi openssl-er,
> I'm newbie in the openssl.
> Recently, I ported the openssl to my embedded linux device and ran the 
> openssl command.
> But there was an error occured.
> I had done google search a lot, but I didn't find the answer.
> My issue is strange, my test steps like below:
> 1. copy the openssl, libs, cacert.pem to the embedded linux platform.
Does cacert.pem contain the CA certificate that issued the certificate for
https://curl.haxx.se ?

In general, the argument to -CAfile should be the concatenation of the PEM
format CA root certificates that your embedded platform wants to trust as
issuing trustworthy certificates for servers you will connect to.

Alternatively, the argument to -CApath should point to a directory
(traditionally named "/etc/ssl/certs") containing:

   One PEM file with each such trusted CA certificate
   The symlinks generated by the c_rehash script (these map simple checksums
     of the certificate names to the file names containing CA certificates
     with names with those checksums, this reduces memory consumption but
     increases disk read operations).

If your embedded file system does not support symlinks, you can instead
rename the PEM files to the names of the symlinks that c_rehash generates
on a more full-blown development computer.

> 2. run the command:
> /tmp #:./openssl s_client -connect curl.haxx.se:443 
> <http://curl.haxx.se:443> -CAfile /tmp/cacert.pem
> 3. the error log is
> ------log ----------------
> CONNECTED(00000003)
> depth=0 CN = anja.haxx.se <http://anja.haxx.se>
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 CN = anja.haxx.se <http://anja.haxx.se>
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> Certificate chain
>  0 s:/CN=anja.haxx.se <http://anja.haxx.se>
>    i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
>  1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
>    i:/O=Digital Signature Trust Co./CN=DST Root CA X3
> ---
> Server certificate
> ----------------------------------
> 4. my openssl version -d and version is
> /tmp # ./openssl version
> OpenSSL 1.1.0c  10 Nov 2016
> /tmp # ./openssl version -d
> OPENSSLDIR: "/home/georgeyang/workspace/speech_code/openssl/openssl/final"
> 5. In my PC, I found this command worked well. It could return the ok 
> value.
> Although the openssl version is 1.0.1f.
> So I think my cacert.pem is right.
> 6. I also used other command like:
> /tmp # ./openssl s_client -connect curl.haxx.se:443 
> <http://curl.haxx.se:443> -CApath /tmp/cacert.pem
> /tmp # ./openssl s_client -CApath 
> /home/georgeyang/workspace/speech_code/openssl/openssl/final/ -connect 
> curl.haxx.se:443 <http://curl.haxx.se:443>
> /tmp # ./openssl s_client -connect curl.haxx.se:443 
> <http://curl.haxx.se:443> -servername curl.haxx.se 
> <http://curl.haxx.se> -key /etc/ssl/private/ssl-cert-snakeoil.key 
> -CAfile /etc/ssl/certs/cacert.pem
> But they are all NG.
> In google, they all said -CAfile or -CApath could help, But it doesn't 
> work for me. >"<
> Please help


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list