[openssl-users] It reported verify error:num=20:unable to get local issuer certificate in my embedded linux device, when I used the openssl command

杨俊 yangjun9772 at gmail.com
Thu Dec 15 09:26:40 UTC 2016

Hi Jakob & Michael & opensslers,

I'm sorry to ask a stupid question.
That I found when I used the openssl1.0.1f, it said the error log:
/tmp # ./openssl s_client -connect curl.haxx.se:443 -CAfile ./cacert.pem
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=9:certificate is not yet valid
///////////////////////////new error
notBefore=Sep 30 21:12:19 2000 GMT
verify return:0
Certificate chain
 0 s:/CN=anja.haxx.se
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
Server certificate
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
No client certificate CA names sent
SSL handshake has read 3148 bytes and written 445 bytes
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:

    Start Time: 2002
 /////////////////////////////////////// time 2002
    Timeout   : 300 (sec)
    Verify return code: 9 (certificate is not yet valid)
Is this error occurred by the system clock of my platform?
Actually, I didn't do anything to synchronize time in my platform(no NTP).
Would this be a reason for my first issue and this issue?
I'm trying to do NTP now.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20161215/9de332af/attachment.html>

More information about the openssl-users mailing list