OpenSSL Verify return code: 20 (unable to get local issuer certificate)
I had the same problem and solved it by passing path to a directory where CA keys are stored. On Ubuntu it was:
openssl s_client -CApath /etc/ssl/certs/ -connect address.com:443
This error also happens if you're using a self-signed certificate with a keyUsage
missing the value keyCertSign
.
Solution:
You must explicitly add the parameter -CAfile your-ca-file.pem
.
Note: I tried also param -CApath
mentioned in another answers, but is does not works for me.
Explanation:
Error unable to get local issuer certificate
means, that the openssl
does not know your root CA cert.
Note: If you have web server with more domains, do not forget to add also -servername your.domain.net
parameter. This parameter will "Set TLS extension servername in ClientHello". Without this parameter, the response will always contain the default SSL cert (not certificate, that match to your domain).
Is your server configured for client authentication? If so you need to pass the client certificate while connecting with the server.