Here’s how to solve an error “verify error:num=20:unable to get local issuer certificate” when connecting to HTTPS sites with “openssl s_client” command.
| # openssl s_client -connect google.com:443 CONNECTED(00000003) depth=1 C = US, O = Google Inc, CN = Google Internet Authority verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com i:/C=US/O=Google Inc/CN=Google Internet Authority 1 s:/C=US/O=Google Inc/CN=Google Internet Authority i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority --- Server certificate -----BEGIN CERTIFICATE----- <snip> -----END CERTIFICATE----- subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com issuer=/C=US/O=Google Inc/CN=Google Internet Authority |
There are two ways to solve this.
- specify server certification file
create a file pasted from “-----BEGIN CERTIFICATE-----“ to “-----END CERTIFICATE-----
“
| # cat google.crt -----BEGIN CERTIFICATE----- <snip> -----END CERTIFICATE----- |
specify the file by -Cafile option.
| # openssl s_client -CAfile google.crt -connect www.google.com:443 -debug -showcerts CONNECTED(00000003) write to 0x1944250 [0x196b780] (226 bytes => 226 (0xE2)) 0000 - 16 03 01 00 dd 01 00 00-d9 03 02 51 42 cb 45 7a ...........QB.Ez 0010 - 10 cc 75 53 74 bc 61 6e-29 98 28 64 30 23 69 d7 ..uSt.an).(d0#i. 0020 - 76 8e 16 2b 58 ec 93 76-62 4a 82 00 00 66 c0 14 v..+X..vbJ...f.. <snip> 0050 - f6 69 67 d4 a0 c0 9c d1-8e fb c2 e7 ea a3 a6 d6 .ig............. 0060 - d4 48 fa 77 9a d7 24 09-49 e9 8b 7d f4 de ad 2d .H.w..$.I..}...- 0070 - d5 ac a7 a7 c6 4d f5 07-bc bd 08 a5 cf 97 02 91 .....M.......... 0080 - e5 41 df 87 a9 df 93 df-86 af f6 38 e7 46 c3 b3 .A.........8.F.. 0090 - 98 63 60 df .c`. Start Time: 1363331909 Timeout : 300 (sec) Verify return code: 0 (ok) --- GET / HTTP/1.0 write to 0x1944250 [0x1975233] (40 bytes => 40 (0x28)) 0000 - 17 03 02 00 23 15 22 62-d2 f3 45 c2 7d 0a 6d 04 ....#."b..E.}.m. 0010 - 28 b9 01 ad dd 57 46 30-78 f6 75 04 e7 4a cf 4b (....WF0x.u..J.K <snip> # |
- specify root ca certification file
In case of ubuntu 12.04 , ca cert file is located under /etc/ssl/certs/ca-certificates.crt
The file name and the location of CA cert file might differ from distributions or versions.
| root@ubuntu1204-vm1:~# update-ca-certificates Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d....done. root@ubuntu1204-vm1:~# updatedb root@ubuntu1204-vm1:~# locate ca-certificates.crt /etc/ssl/certs/ca-certificates.crt |
specify CA cert file.
| root@ubuntu1204-vm1:~# openssl s_client -CAfile /etc/ssl/certs/ca-certificates.c rt -connect www.google.com:443 -debug -showcerts CONNECTED(00000003) write to 0x2309250 [0x2330780] (226 bytes => 226 (0xE2)) |
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.