[openssl-users] Fwd: Error in Opening SSL Certificate

Viktor Dukhovni openssl-users at dukhovni.org
Thu Aug 10 18:55:48 UTC 2017

On Thu, Aug 10, 2017 at 06:27:41PM +0530, Amiya Das wrote:

> I have written an application for connecting to AzureIOT hub using AMQP
> protocol.
> When i run the application it fails because of SSL issue stating *14090086:SSL
> routines:ssl3_get_server_certificate:certificate verify failed.*

This means that the certificate chain presented does not chain up
to a locally trusted root CA, or is expired, or some other chain
verification problem.  You need to determine what certificates are
presented by the remote peer, what trust anchors (root CAs) you're
using and why the chain does not verify against these trust-anchors.

> Any help would be appreciate..
> Below are the details for the OS
> Yocto linux
> Kernel 4.4.19-gdb0b54cdad
> Info: IoT Hub SDK for C, version 1.1.19

That's largely irrelevant.

> i am not sure why this issue is appearing, it looks like an openssl issue.
> But i do have the openssl certificates in the below location,
> "/etc/ssl/certs/ca-certificates.crt"

That's not where OpenSSL will look by default, unless:

> Following are the more information using openssl,
> -sh-3.2# openssl version -d
> OPENSSLDIR: "/usr/lib/ssl"

OpenSSL will by default look in:

    <OPENSSLDIR>/certs.pem	- PEM file with multiple trusted certificates
    <OPENSSLDIR>/certs/		- Directory with certificate files "hashed" via c_rehash

Perhaps you have symlinks in place that lead to ca-certificates.crt,
or code to populate the /certs/ directory, but otherwise you'll
need such links, or the application will need to explicity set the
appropriate CAfile or CApath.

>     Verify return code: 20 (unable to get local issuer certificate)

Your CAfile/CApath do not contain a trust-anchor that verifies the
given chain.


More information about the openssl-users mailing list