Thank you so much, I would never have figured that out in a million years! It works perfectly following those instructions. And always good to know the "how" in case I trip over it again, much appreciated.
Apologies for the richtext, I blame Google for that one... On 23 September 2013 22:25, Dave Thompson <dthomp...@prinpay.com> wrote: > Sorry for top-posting but you apparently posted richtext and my new > “improved” Outlook **** > > can no longer impoverish text correctly nor reply inline to richtext. Bah. > **** > > ** ** > > You don’t need the full chain(s), only the root(s), since both servers > send chain as they should.**** > > The difference is that the sumologic chain uses “GeoTrust Primary > Certification Authority” **** > > which appears to be both self-signed and (cross)signed by Equifax probably > for transition **** > > (although 2006 is a while back now) and the server actually sends the > cross-signed one.**** > > Firefox (at least the current version 24 I can check) has the self-signed > version “built-in” **** > > which it uses (and exports). OpenSSL on the contrary will not (yet) > override a received cert **** > > with a truststore one, so it needs the Equifax root. Which is also in FF > 24; under Authorities **** > > find Equifax Secure CA, export that and use that.**** > > ** ** > > If you really want to know how (as asked) not just what, if you have > openssl commandline **** > > the easiest way is to run openssl s_client -connect host:port and look at > the cert chaining**** > > (0 s: and i:, 1 s: and i:, and so on), and in this case compare to what FF > displays. If you need **** > > the contents of the non-leaf certs (here you don’t really) add -showcerts . > **** > > ** ** > > Note the sumologic leaf cert has Subject CN sumologic.com, but > SubjectAlternativeNames correctly **** > > specifying other names including collectors.sumologic.com. EV certs > aren’t allowed to use wildcard names.**** > > ** ** > > ** ** > > *From:* owner-openssl-us...@openssl.org [mailto: > owner-openssl-us...@openssl.org] *On Behalf Of *James Crowley > *Sent:* Monday, September 23, 2013 14:28 > *To:* openssl-users@openssl.org > *Subject:* *** Spam *** Debugging cause of "unable to get local issuer > certificate" - one cert works, one doesn't**** > > ** ** > > Hi everyone,**** > > ** ** > > I'm hitting a "unable to get local issuer certificate" error on a specific > SSL certificate, and I was wondering how I can best debug this? It's via > NXLog which uses OpenSSL so a bit disconnected from the underlying library > at the moment, and I'm not too familar with OpenSSL.**** > > ** ** > > I've exported the full SSL certificate chain for both logs-01.loggly.comand > collectors.sumologic.com using Firefox, each into their own pem file. > When establishing a connection, the first works fine, the second gives me: > **** > > ** ** > > SSL certificate verification failed: unable to get local issuer > certificate (err: 20)**** > > ** ** > > The only difference I can spot is the second is an EV certificate, and is > for sumologic.com whereas the first is explicitly *.loggly.com. If I > deliberately mis-match the certificates then I get**** > > ** ** > > "SSL certificate verification failed: self signed certificate in > certificate chain (err: 19)"**** > > ** ** > > so it's definitely something specific to the SumoLogic certificate > verification chain as far as I can tell?**** > > ** ** > > Any help would be much appreciated.**** > > ** ** > > J**** > > ** ** > -- --- James Crowley CTO, FundApps - a new generation in financial services software - http://www.fundapps.co/ Founder, developerFusion - the global developer community - http://www.developerfusion.com/ linkedin: http://linkedin.com/in/jamescrowley twitter: http://twitter.com/jamescrowley
