OpenSSL Verify return code: 20 (unable to get local issuer certificate)

openssl

I had the same problem and solved it by passing path to a directory where CA keys are stored. On Ubuntu it was:

openssl s_client -CApath /etc/ssl/certs/ -connect address.com:443

This error also happens if you're using a self-signed certificate with a keyUsage missing the value keyCertSign.


Solution: You must explicitly add the parameter -CAfile your-ca-file.pem.

Note: I tried also param -CApath mentioned in another answers, but is does not works for me.

Explanation: Error unable to get local issuer certificate means, that the openssl does not know your root CA cert.

Note: If you have web server with more domains, do not forget to add also -servername your.domain.net parameter. This parameter will "Set TLS extension servername in ClientHello". Without this parameter, the response will always contain the default SSL cert (not certificate, that match to your domain).


Is your server configured for client authentication? If so you need to pass the client certificate while connecting with the server.

Related

Is it good practice to make getters and setters inline?
Can I keep Nuget on the jQuery 1.9.x/1.x path (instead of upgrading to 2.x)?
Using Keras & Tensorflow with AMD GPU
Calling async methods from non-async code
Is a Java int always 32 bits?
How can I find out if code is running inside a JUnit test or not?
How does load differ from require in Ruby?
How to abort a merge in mercurial?
How to get a fresh copy of a branch from the remote repository?
What does the clearfix class do in css? [duplicate]
What does it mean when TsLint says "expected callSignature to have a typedef."
Moshi vs Gson in android [closed]