OCSP validation - unable to get local issuer certificate
I'm new to setup SSL from the scratch and did my first steps. I bought a SSL cert from RapidSSL for my domain and followed there steps to install the cert. In general the cert is valid and working on my webserver(nginx v1.4.6 - Ubuntu 14.04.1 LTS), but if I'm trying to activate OCSP OCSP I get the following error in my nginx error.log:
OCSP_basic_verify() failed (SSL: error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:Verify error:unable to get local issuer certificate) while requesting certificate status, responder: gv.symcd.com
I tried it also with this command from the command line:
openssl s_client -connect mydomain.tld:443 2>&1 < /dev/null
And got the "same" error like in my error.log:
[...]SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 [...] Start Time: 1411583991 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate)
But if download the GeoTrust Root Certificat and try it with this command:
openssl s_client -connect mydomain.tld:443 -CAfile GeoTrust_Global_CA.pem 2>&1 < /dev/null
Verification is ok:
[...]SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 [...] Start Time: 1411583262 Timeout : 300 (sec) Verify return code: 0 (ok)
So somehow the GeoTrust Root Cert isn't found/delivered.
My nginx site config:
server {
listen 443;
server_name mydomain.tld;
ssl on;
ssl_certificate /etc/ssl/certs/ssl.crt;
ssl_certificate_key /etc/ssl/private/ssl.key;
# Resumption
ssl_session_cache shared:SSL:20m;
# Timeout
ssl_session_timeout 10m;
# Security options
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
# OCSP Stapling
# It means that you sent status info about your certificate along with the request,
# instead of making the browser check the certificate with the Certificate Authority.
# This removes a large portion of the SSL overhead, the CloudFlare post above explains it in more detail.
ssl_stapling on;
ssl_stapling_verify on;
#ssl_trusted_certificate /etc/ssl/certs/ssl.pem;
#resolver 8.8.8.8 8.8.4.4 valid=300s;
#resolver_timeout 10s;
# This forces every request after this one to be over HTTPS
add_header Strict-Transport-Security "max-age=31536000";[...]};
RapidSSL wrote in his documentation that I should add the following certificates into the ssl.crt with the following order:
- myserver.crt
- Intermediate CA Bundle (RapidSSL SHA256 CA - G3)
- Intermediate CA Bundle (GeoTrust Global CA)
So I did...
Right now I've no idea what I'm doing wrong... hopefully anyone here can help me.
Thank you!
Solution 1:
Those two errors was unrelated although the error message was same.
[...]SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 [...] Start Time: 1411583991 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate)
Above error was issued openssl_client command. As explained by Florian Heigl, you get this error because the openssl_client need the Globalsign Root cert in /etc/ssl/certs
.
OCSP_basic_verify() failed (SSL: error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:Verify error:unable to get local issuer certificate) while requesting certificate status, responder: gv.symcd.com
For this error, it was issued by nginx ocsp routine, especially when you add ssl_stapling_verify on;
line in nginx.conf.
Here some excerpt from the documentation of ssl_stapling_verify
to explain why it throws the error
Syntax: ssl_stapling_verify on | off;
Enables or disables verification of OCSP responses by the server.
For verification to work, the certificate of the server certificate issuer, the root certificate, and all intermediate certificates should be configured as trusted using the ssl_trusted_certificate directive.
In other words, you need provide (2) Intermediate CA Bundle (RapidSSL SHA256 CA - G3) and (3) Intermediate CA Bundle (GeoTrust Global CA) to ssl_trusted_certificate
directive.
cat GeoTrustGlobalCA.crt rapidsslG3.crt > ocsp-chain.crt
and add ocsp-chain.crt
to ssl_trusted_certificate
directive.
Solution 2:
I can only answer part of this.
openssl s_client -connect mydomain.tld:443 2>&1 < /dev/null
would need the Globalsign Root cert in /etc/ssl/certs. There is a ca-certificates package, do you have that installed?