[openssl-users] It reported verify error:num=20:unable to get local issuer certificate in my embedded linux device, when I used the openssl command

Jakob Bohm jb-openssl at wisemo.com
Wed Dec 14 10:32:34 UTC 2016 

On 14/12/2016 09:42, 杨俊 wrote:
> Hi openssl-er,
>
> > Does cacert.pem contain the CA certificate that issued the certificate for
> > https://curl.haxx.se <https://curl.haxx.se/> ?
>
> I think the cacert.pem is right. Because, I can get the ok result in 
> my PC by this command:
>
>> > If your embedded file system does not support symlinks, you can instead
> > rename the PEM files to the names of the symlinks that c_rehash generates
> > on a more full-blown development computer.
>
Just to be sure (sometimes OpenSSL checks its default -CApath even
if you specify a -CAfile) try this command on the development machine:

openssl x509 -subject -noout -in cacert.pem

Compare to the deepest value from the screenshot above.

> I don't know if my way is right. I do it like this:
>
>
> 1. In my device, I can't use the c_rehash. It said no perl. I input 
> the command like this:
> /tmp # ./openssl x509 -hash -fingerprint -noout -in 
> /home/georgeyang/workspace/s
> peech_code/openssl/openssl/final/certs/cacert-2016-11-02.pem
> 5ad8a5d6
> SHA1 
> Fingerprint=B1:BC:96:8B:D4:F4:9D:62:2A:A8:9A:81:F2:15:01:52:A4:1D:82:9C
>
> 2. input command:
> /etc/ssl/certs # ln -s 
> /home/georgeyang/workspace/speech_code/openssl/openssl/final/certs/cacert-2016-11-02.pem 
> 5ad8a5d6.0
> /etc/ssl/certs # ls -l
> total 511
> lrwxrwxrwx    1 root root            88 Jan  1 06:53 5ad8a5d6.0 -> 
> /home/georgeyang/workspace/speech_code/openssl/openssl/final/certs/cacert-2016-11-02.pem
>
> Is this right?
>
> 3. the result is still NG
> /tmp # ./openssl s_client -connect curl.haxx.se:443 
> <http://curl.haxx.se:443> -CApath /etc/ssl/certs/
> CONNECTED(00000003)
> depth=0 CN = anja.haxx.se <http://anja.haxx.se>
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 CN = anja.haxx.se <http://anja.haxx.se>
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
>
> 4. NG again
> CONNECTED(00000003)
> depth=0 CN = anja.haxx.se <http://anja.haxx.se>
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 CN = anja.haxx.se <http://anja.haxx.se>
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> Certificate chain
>  0 s:/CN=anja.haxx.se <http://anja.haxx.se>
>    i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
>  1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
>    i:/O=Digital Signature Trust Co./CN=DST Root CA X3
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> ---
> -----END CERTIFICATE-----
> subject=/CN=anja.haxx.se <http://anja.haxx.se>
> issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
> ---
> No client certificate CA names sent
> Peer signing digest: SHA512
> Server Temp Key: ECDH, P-256, 256 bits
> ---
> SSL handshake has read 3143 bytes and written 302 bytes
> Verification error: unable to verify the first certificate
> ---
> New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : ECDHE-RSA-AES128-GCM-SHA256
>     Session-ID: 
> 3EA8329E6101B72FDA48B82E57049D637925CBC73064598B5B418270FFA5907C
>     Session-ID-ctx:
>     Master-Key: 
> 61172C067AE0758A1BE71C7577B6A6E8EFD896516F602BCA30E4E369B61A4093702406403CF41FF3B9CFC2E9E76BE611
>     PSK identity: None
>     PSK identity hint: None
>     SRP username: None
>     TLS session ticket lifetime hint: 300 (seconds)
>     TLS session ticket:
> ---
>
>     Start Time: 24915
>     Timeout   : 7200 (sec)
>     Verify return code: 21 (unable to verify the first certificate)
>     Extended master secret: no
> ---
> closed
>

Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list