Hi openssl-er, > Does cacert.pem contain the CA certificate that issued the certificate for > https://curl.haxx.se ?
I think the cacert.pem is right. Because, I can get the ok result in my PC by this command: > If your embedded file system does not support symlinks, you can instead > rename the PEM files to the names of the symlinks that c_rehash generates > on a more full-blown development computer. I don't know if my way is right. I do it like this: 1. In my device, I can't use the c_rehash. It said no perl. I input the command like this: /tmp # ./openssl x509 -hash -fingerprint -noout -in /home/georgeyang/workspace/s peech_code/openssl/openssl/final/certs/cacert-2016-11-02.pem 5ad8a5d6 SHA1 Fingerprint=B1:BC:96:8B:D4:F4:9D:62:2A:A8:9A:81:F2:15:01:52:A4:1D:82:9C 2. input command: /etc/ssl/certs # ln -s /home/georgeyang/workspace/speech_code/openssl/openssl/final/certs/cacert-2016-11-02.pem 5ad8a5d6.0 /etc/ssl/certs # ls -l total 511 lrwxrwxrwx 1 root root 88 Jan 1 06:53 5ad8a5d6.0 -> /home/georgeyang/workspace/speech_code/openssl/openssl/final/certs/cacert-2016-11-02.pem Is this right? 3. the result is still NG /tmp # ./openssl s_client -connect curl.haxx.se:443 -CApath /etc/ssl/certs/ CONNECTED(00000003) depth=0 CN = anja.haxx.se verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = anja.haxx.se verify error:num=21:unable to verify the first certificate verify return:1 --- 4. NG again CONNECTED(00000003) depth=0 CN = anja.haxx.se verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = anja.haxx.se verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/CN=anja.haxx.se i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 i:/O=Digital Signature Trust Co./CN=DST Root CA X3 --- Server certificate -----BEGIN CERTIFICATE----- --- -----END CERTIFICATE----- subject=/CN=anja.haxx.se issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 3143 bytes and written 302 bytes Verification error: unable to verify the first certificate --- New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: 3EA8329E6101B72FDA48B82E57049D637925CBC73064598B5B418270FFA5907C Session-ID-ctx: Master-Key: 61172C067AE0758A1BE71C7577B6A6E8EFD896516F602BCA30E4E369B61A4093702406403CF41FF3B9CFC2E9E76BE611 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: --- Start Time: 24915 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) Extended master secret: no --- closed Thank you :-(
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users