Re: Debugging cause of "unable to get local issuer certificate" - one cert works, one doesn't
Thank you so much, I would never have figured that out in a million years! It works perfectly following those instructions. And always good to know the "how" in case I trip over it again, much appreciated. Apologies for the richtext, I blame Google for that one... On 23 September 2013 22:25, Dave Thompson wrote: > Sorry for top-posting but you apparently posted richtext and my new > “improved” Outlook > > can no longer impoverish text correctly nor reply inline to richtext. Bah. > > > ** ** > > You don’t need the full chain(s), only the root(s), since both servers > send chain as they should. > > The difference is that the sumologic chain uses “GeoTrust Primary > Certification Authority” > > which appears to be both self-signed and (cross)signed by Equifax probably > for transition > > (although 2006 is a while back now) and the server actually sends the > cross-signed one. > > Firefox (at least the current version 24 I can check) has the self-signed > version “built-in” > > which it uses (and exports). OpenSSL on the contrary will not (yet) > override a received cert > > with a truststore one, so it needs the Equifax root. Which is also in FF > 24; under Authorities > > find Equifax Secure CA, export that and use that. > > ** ** > > If you really want to know how (as asked) not just what, if you have > openssl commandline > > the easiest way is to run openssl s_client -connect host:port and look at > the cert chaining > > (0 s: and i:, 1 s: and i:, and so on), and in this case compare to what FF > displays. If you need > > the contents of the non-leaf certs (here you don’t really) add -showcerts . > > > ** ** > > Note the sumologic leaf cert has Subject CN sumologic.com, but > SubjectAlternativeNames correctly > > specifying other names including collectors.sumologic.com. EV certs > aren’t allowed to use wildcard names. > > ** ** > > ** ** > > *From:* owner-openssl-us...@openssl.org [mailto: > owner-openssl-us...@openssl.org] *On Behalf Of *James Crowley > *Sent:* Monday, September 23, 2013 14:28 > *To:* openssl-users@openssl.org > *Subject:* *** Spam *** Debugging cause of "unable to get local issuer > certificate" - one cert works, one doesn't > > ** ** > > Hi everyone, > > ** ** > > I'm hitting a "unable to get local issuer certificate" error on a specific > SSL certificate, and I was wondering how I can best debug this? It's via > NXLog which uses OpenSSL so a bit disconnected from the underlying library > at the moment, and I'm not too familar with OpenSSL. > > ** ** > > I've exported the full SSL certificate chain for both logs-01.loggly.comand > collectors.sumologic.com using Firefox, each into their own pem file. > When establishing a connection, the first works fine, the second gives me: > > > ** ** > > SSL certificate verification failed: unable to get local issuer > certificate (err: 20) > > ** ** > > The only difference I can spot is the second is an EV certificate, and is > for sumologic.com whereas the first is explicitly *.loggly.com. If I > deliberately mis-match the certificates then I get > > ** ** > > "SSL certificate verification failed: self signed certificate in > certificate chain (err: 19)" > > ** ** > > so it's definitely something specific to the SumoLogic certificate > verification chain as far as I can tell? > > ** ** > > Any help would be much appreciated. > > ** ** > > J > > ** ** > -- --- James Crowley CTO, FundApps - a new generation in financial services software - http://www.fundapps.co/ Founder, developerFusion - the global developer community - http://www.developerfusion.com/ linkedin: http://linkedin.com/in/jamescrowley twitter: http://twitter.com/jamescrowley
RE: Debugging cause of "unable to get local issuer certificate" - one cert works, one doesn't
Sorry for top-posting but you apparently posted richtext and my new "improved" Outlook can no longer impoverish text correctly nor reply inline to richtext. Bah. You don't need the full chain(s), only the root(s), since both servers send chain as they should. The difference is that the sumologic chain uses "GeoTrust Primary Certification Authority" which appears to be both self-signed and (cross)signed by Equifax probably for transition (although 2006 is a while back now) and the server actually sends the cross-signed one. Firefox (at least the current version 24 I can check) has the self-signed version "built-in" which it uses (and exports). OpenSSL on the contrary will not (yet) override a received cert with a truststore one, so it needs the Equifax root. Which is also in FF 24; under Authorities find Equifax Secure CA, export that and use that. If you really want to know how (as asked) not just what, if you have openssl commandline the easiest way is to run openssl s_client -connect host:port and look at the cert chaining (0 s: and i:, 1 s: and i:, and so on), and in this case compare to what FF displays. If you need the contents of the non-leaf certs (here you don't really) add -showcerts . Note the sumologic leaf cert has Subject CN sumologic.com, but SubjectAlternativeNames correctly specifying other names including collectors.sumologic.com. EV certs aren't allowed to use wildcard names. From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of James Crowley Sent: Monday, September 23, 2013 14:28 To: openssl-users@openssl.org Subject: *** Spam *** Debugging cause of "unable to get local issuer certificate" - one cert works, one doesn't Hi everyone, I'm hitting a "unable to get local issuer certificate" error on a specific SSL certificate, and I was wondering how I can best debug this? It's via NXLog which uses OpenSSL so a bit disconnected from the underlying library at the moment, and I'm not too familar with OpenSSL. I've exported the full SSL certificate chain for both logs-01.loggly.com and collectors.sumologic.com using Firefox, each into their own pem file. When establishing a connection, the first works fine, the second gives me: SSL certificate verification failed: unable to get local issuer certificate (err: 20) The only difference I can spot is the second is an EV certificate, and is for sumologic.com whereas the first is explicitly *.loggly.com. If I deliberately mis-match the certificates then I get "SSL certificate verification failed: self signed certificate in certificate chain (err: 19)" so it's definitely something specific to the SumoLogic certificate verification chain as far as I can tell? Any help would be much appreciated. J
Debugging cause of "unable to get local issuer certificate" - one cert works, one doesn't
Hi everyone, I'm hitting a "unable to get local issuer certificate" error on a specific SSL certificate, and I was wondering how I can best debug this? It's via NXLog which uses OpenSSL so a bit disconnected from the underlying library at the moment, and I'm not too familar with OpenSSL. I've exported the full SSL certificate chain for both logs-01.loggly.comand collectors.sumologic.com using Firefox, each into their own pem file. When establishing a connection, the first works fine, the second gives me: SSL certificate verification failed: unable to get local issuer certificate (err: 20) The only difference I can spot is the second is an EV certificate, and is for sumologic.com whereas the first is explicitly *.loggly.com. If I deliberately mis-match the certificates then I get "SSL certificate verification failed: self signed certificate in certificate chain (err: 19)" so it's definitely something specific to the SumoLogic certificate verification chain as far as I can tell? Any help would be much appreciated. J
