'openssl verify' outputs 'unable to get local issuer certificate'
Solution 1:
If you want to use openssl verify
, you should instead use:
openssl verify -CAfile your-intermediates-and-final.pem mywebsite.crt
with your-intermediates-and-final.pem with all intermediate and final (trusted anchor) concatenated inside, in PEM format. If you want to use the -CApath /etc/ssl/certs
option, each intermediate certificate must be in the /etc/ssl/certs directory and you must execute as root:
$ c_rehash
nginx seems to be correctly configured. Verify the permissions are correct and you have the two following config parameters in your server {}
or http {}
section:
ssl_certificate /path/to/your/mywebsite.pem;
ssl_certificate_key /path/to/your/mywebsite.key;
and in your server {}
section:
listen 443 ssl;
EDIT - this was a part of answer to the original question:
The key only contains the private key and no certificate, so there is no point in "openssl verify"ing it.
Solution 2:
OpenSSL only needs to be run as root when it needs to read private data as private keys in /etc/ssl/private/
. For certificate verification, root is not needed. Certificates in /etc/ssl/certs
should be readable by everyone in order every user and software can verify certificates. Or do you enter root password every time you call a website?
$ openssl verify mywebsite.pem
mywebsite.pem: OU = GT46830179, OU = See www.rapidssl.com/resources/cps (c)15, OU = Domain Control Validated - RapidSSL(R), CN = *.logitapp.com
error 20 at 0 depth lookup:unable to get local issuer certificate
Looking at the manpage of verify(1ssl):
2 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate
the issuer certificate of a looked up certificate could not be found. This normally means the list of trusted certificates is not complete.
You need to give openssl some informations about where in the chain the certificates are needed:
openssl verify [-CApath directory] [-CAfile file] [-untrusted file] [certifictes]
For example:
openssl verify -CAfile RootCert.pem -untrusted Intermediate.pem UserCert.pem
See also this question on SO
$ openssl verify mywebsite.key I get a message saying
unable to load certificate
139893743232656:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE
The certificate could not be loaded, as you gave a private key. This is the opposite of a certificate, which holds the public key with additional information about the certificate chain, validity etc. The error message clearly says, what is expected: Expecting: TRUSTED CERTIFICATE
You only need to "install" a root certificate if it is not already trusted by your OS and you want it to be trusted. But as you talk about servers, there's no point in including your own domain's certificate in the trust store. Your software (nginx) in this case, needs to have access to a certificate file including the full trust chain, from the leaf certificate of your domain up to the root certificate of your CA (optional).
Please see either the nginx's documentation, look for other questions of this kind (the internet including SE and SF) is full of it or give an exact and detailed description of your problem.
Solution 3:
you have must cat all certs to final CA_Chain.crt:
cat RootCA.crt IntermediateCert1 IntermediateCert2 > CA_Chain.crt
openssl verify -CAfile CA_Chain.crt website.crt
(website.crt sign by IntermediateCert2)