Re: It reported verify error:num=20:unable to get local issuer certificate in my embedded linux device, when I used the openssl command

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Jakob & openssl-er,

> Just to be sure (sometimes OpenSSL checks its default -CApath even
> if you specify a -CAfile) try this command on the development machine:

> openssl x509 -subject -noout -in cacert.pem

> Compare to the deepest value from the screenshot above.


I get the log from the embedded linux device and my PC.
Sorry, I don't get the deference in the platform, but there is some deference between the platform and PC.
Is this help?

------------------------------from embedded platform NG log--------------
/tmp # ./openssl x509 -subject -noout -in cacert-2016-11-02.pem 
subject=C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA

/tmp # ./openssl s_client -connect curl.haxx.se:443 -CAfile ./cacert-2016-11-02.pem 
CONNECTED(00000003)
depth=0 CN = anja.haxx.se                                            /////////////////////////////////always  depth=0////////////////////////////////////////
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = anja.haxx.se
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=anja.haxx.se
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
    ----
-----END CERTIFICATE-----
subject=/CN=anja.haxx.se
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3143 bytes and written 302 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: AB3322B63747715342DB68B4D18C27F98CF84D4A0E2711719E8B96FA5DA5C1FD
    Session-ID-ctx: 
    Master-Key: 240CC5C33C7185E49C74076133DF385AB0282A3C68D6D6DC3CB74D0DB845E4242F61DA09A28B544CB5B1D39FA839E6AD
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    .....
    Start Time: 39804
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: no
---
closed
/tmp # 


------------------------------from PC ok log--------------------------------------
georgeyang@georgeyang-virtual-machine:/mnt/hgfs/share/task/danale_task/3516a$ openssl x509 -subject -noout -in cacert-2016-11-02.pem 
subject= /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA

georgeyang@georgeyang-virtual-machine:/mnt/hgfs/share/task/danale_task/3516a$ openssl s_client -connect curl.haxx.se:443 -CAfile ./cacert-2016-11-02.pem 
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3                  //////////////////////////////////////depth 0,1,2/////////////////////////////////
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = anja.haxx.se
verify return:1
---
Certificate chain
 0 s:/CN=anja.haxx.se
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
       ----
-----END CERTIFICATE-----
subject=/CN=anja.haxx.se
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
---
SSL handshake has read 3148 bytes and written 443 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 5640820B2C49B9B2E68563DFDFC7303BE01DE69E7EB4C6C833B4F7872CD173E5
    Session-ID-ctx: 
    Master-Key: 48783D2D0E03CE5EACB7AF2577E0E2AFE4F056B191BFB2641D08E602C54BF651B9C195DCFBD2AECC2092B035848B005B
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
     ---
    Start Time: 1481718602
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
closed
georgeyang@georgeyang-virtual-machine:/mnt/hgfs/share/task/danale_task/3516a$ 

--------------------------------------------------------------------------------------------------------

thank you for your help.
Thanks a lot.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux