Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Verify return code: 20 (unable to get local issuer certificate)

14,471 views
Skip to first unread message

Lennart van den Dool | fonq.nl

unread,
Feb 10, 2011, 11:07:27 AM2/10/11
to

Hi,

 

I can’t figure this out and I’ve been searching the net for hours, so I hope someone can help.

I want to make an ldaps connection to a remote server, but issuing

 

openssl s_client -ssl3 -connect [domain]:636 -state -verify

 

results in: Verify return code: 20 (unable to get local issuer certificate).

 

When I specify the -CAfile /etc/ssl/certs/AddTrust_External_CA_Root.pem it works fine.

 

How can I make openssl use (trust) that CAfile automatically?

 

Thanks in advance!

 

Regards,

 

Lennart

 

Mounir IDRASSI

unread,
Feb 10, 2011, 8:49:32 PM2/10/11
to
Hi Lennart,

Issue the following command : openssl version -d
Its output will tell you which directory the openssl binary you are
calling is using for accessing CA certificates.
If it is not /etc/ssl, then this explains why you are getting this error
: you are using a binary that looks elsewhere (for example in
/usr/local/ssl)
On the other hand, if it is /etc/ssl, then you need just to update the
CAs hashs in /etc/ssl/certs. For that, issue the following command :
c_rehash /etc/ssl/certs.

I hope this will help.
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org

yassin...@googlemail.com

unread,
Dec 5, 2012, 6:01:00 AM12/5/12
to
Hi,

What Mounir wrote is correct. His Answer has helped me to fix out my issue too.
But nevertheless i want give more details which might be helpful for any others.

First i am using Ubuntu as OS.
so the directory where you should put your CA certificates(Root CA and intermediate CAs) is /usr/lib/ssl/certs/

The CA certificates should have .pem or .crt extensions
And you should be a super User to be able to copy certificates in directory and to use c_rehash command

in ubuntu (sudo c_rehash /usr/lib/ssl/certs)

output will be some thing like this:
Doing /usr/lib/ssl/certs
.
.
.
yourcertificate.crt => hash value
.
.
.

and that's it
you can verify you certificate now again

openssl verify your-signed-ca.crt

Cheers,
Yassine
0 new messages