> On Jan 25, 2018, at 4:59 AM, Oleg Smelkoff wrote:
>
> As I tought, reason of that problem was incorrect AKID of EE-certificate,
> cause AKID has to identify the issuer of the issuer,
That is indeed the problem, but your statement above is not accurate.
In the AKID
Hi All!
I've encountered same problem such in this topic:
http://openssl.6102.n7.nabble.com/Getting-crazy-with-quot-error-20-at-0-depth-lookup-unable-to-get-local-issuer-certificate-error-quot-td21109.html#none
but it wasn't help me
I have 2 chains, and try to verify EE-certificates with CApath
Hi Jakob & Michael & openssler,
The openssl can work well now.
I just used the date command to reset my system time.
And then it can return OK value now.
Although I didn't try it in the latest openssl1.1.0c.
In my embedded linux device, I didn't initialize the time. And there is no
RTC.
This
Hi Jakob & Michael & opensslers,
I'm sorry to ask a stupid question.
That I found when I used the openssl1.0.1f, it said the error log:
--log--
/tmp # ./openssl s_client -connect curl.haxx.se:443 -CAfile ./cacert.pem
CONNECTED(0003)
depth=2 O =
Hi Michael & opensslers,
> So: either there's more than one certificate in cacert-2016-11-02.pem, or
OpenSSL on the PC is searching its default CA certificate directory in
addition to cacert-2016-11-02.pem. Since we don't know what's > actually in
cacert-2016-11-02.pem, we can't provide much
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of ??
> Sent: Wednesday, December 14, 2016 07:53
> I get the log from the embedded linux device and my PC.
> Sorry, I don't get the deference in the platform, but there is some deference
> between the platform and PC.
/
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = anja.haxx.se
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=anja.haxx.se
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=
tmp # ./openssl s_client -connect curl.haxx.se:443
<http://curl.haxx.se:443> -CApath /etc/ssl/certs/
CONNECTED(0003)
depth=0 CN = anja.haxx.se <http://anja.haxx.se>
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = anja.haxx.se <http://a
Hi Jakob & openssl-er,
1. My cross compile command is :
---
#export
CROSSCOMP_DIR=/home/georgeyang/workspace/hisi/hi3516a_v100/Hi3516A_SDK_V1.0.6.0/osdrv/opensource/toolchain/arm-hisiv400-linux/arm-hisiv400-linux/bin
#export INSTALL_DIR=/home/georgeyang/workspace/speech_code/openssl
s_client -connect curl.haxx.se:443 -CApath /etc/ssl/certs/
CONNECTED(0003)
depth=0 CN = anja.haxx.se
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = anja.haxx.se
verify error:num=21:unable to verify the first certificate
verify return:1
---
4. NG again
log is
--log
CONNECTED(0003)
depth=0 CN = anja.haxx.se <http://anja.haxx.se>
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = anja.haxx.se <http://anja.haxx.se>
verify error:num=21:unable to verify the first certificate
verify return:1
--
, cacert.pem to the embedded linux platform.
2. run the command:
/tmp #:./openssl s_client -connect curl.haxx.se:443 -CAfile /tmp/cacert.pem
3. the error log is
--log
CONNECTED(0003)
depth=0 CN = anja.haxx.se
verify error:num=20:unable to get local issuer certificate
verify
"(c) 2006 thawte, Inc. - For authorized use only", CN =
> thawte Primary Root CA
> verify error:num=20:unable to get local issuer certificate
> ...
Despite the CN string, the certificate presented by that server on
the wire is not a root certificate. See the attached chain.
Issu
From: owner-openssl-us...@openssl.org On Behalf Of Yvonne Wambui
Sent: Friday, January 10, 2014 01:44
thanks dave and martin. with all that information i think i should start
the process again.
Do you have some materials that have step by step process of configuring
two way connections
I
I was thinking about manual verification of certificates on the command
line. From what you wrote now, it seems that you are using some calls to
the openssl library in a client-server application, maybe via other
tools/webserver or so, and I understand that the server certificate was
issued by a
thanks martin. i made the changes and now im getting
Verify return code: 19 (self signed certificate in certificate chain)
is this ok, or i need code 0
On Thu, Jan 9, 2014 at 1:33 PM, Martin Hecht he...@hlrs.de wrote:
I was thinking about manual verification of certificates on the command
X509_V_OK would be code 0
19 means that the CA certificate could be found, the chain could be
built and verified completely up to the CA certificate but the latter is
not trusted. (see http://www.openssl.org/docs/apps/verify.html)
ah, for some things to work correctly, the file name must be the
could you please explain the last reason.
On Thu, Jan 9, 2014 at 3:38 PM, Martin Hecht he...@hlrs.de wrote:
X509_V_OK would be code 0
19 means that the CA certificate could be found, the chain could be
built and verified completely up to the CA certificate but the latter is
not trusted.
I don't know what exactly you are doing, so it is difficult to speculate
why you are receiving code 19.
Some information is exchanged during establishment of the ssl
connection. For example if you have a web server and a browser, the web
server shows the host certificate to the browser and the
From: owner-openssl-users On Behalf Of Martin Hecht
Sent: Thursday, January 09, 2014 11:54
Generally good explanation, but a few quibbles:
I don't know what exactly you are doing, so it is difficult to speculate
why you are receiving code 19.
Some information is exchanged during
thanks dave and martin. with all that information i think i should start
the process again. Do you have some materials that have step by step
process of configuring two way connections
On Fri, Jan 10, 2014 at 7:30 AM, Dave Thompson dthomp...@prinpay.comwrote:
From: owner-openssl-users On
i get this error when verifing a non-self signed certificate. how do i make
it not point to the rootCA
On 08.01.2014 15:32, Yvonne Wambui wrote:
i get this error when verifing a non-self signed certificate. how do i make
it not point to the rootCA
It makes no sense to verify a non-self signed certificate without the
rootCA certificate. To verify such a certificate you have to provide the
thanks martin, your response shade some light and i can now understand what
im doing. Im trying to create a two way ssl connection, the problem when
verifying the connection to the server, its using my RootCA instead of the
server, hence throwing verification error 19. would you please advise on
Hi everyone,
I'm hitting a unable to get local issuer certificate error on a specific
SSL certificate, and I was wondering how I can best debug this? It's via
NXLog which uses OpenSSL so a bit disconnected from the underlying library
at the moment, and I'm not too familar with OpenSSL.
I've
[mailto:owner-openssl-us...@openssl.org] On Behalf Of James Crowley
Sent: Monday, September 23, 2013 14:28
To: openssl-users@openssl.org
Subject: *** Spam *** Debugging cause of unable to get local issuer
certificate - one cert works, one doesn't
Hi everyone,
I'm hitting a unable to get local issuer
@openssl.org
*Subject:* *** Spam *** Debugging cause of unable to get local issuer
certificate - one cert works, one doesn't
** **
Hi everyone,
** **
I'm hitting a unable to get local issuer certificate error on a specific
SSL certificate, and I was wondering how I can best debug
, the top root CA.
Regards.
--
From: Joshua Bowman
Sent: Tuesday, June 05, 2012 9:48 AM
To: openssl-users@openssl.org
Subject: Re: Verify return code: 20 (unable to get local issuer certificate
cert so
they don't work.
Joshua Bowman
On 6/4/2012 9:07 PM, Vladimir Belov wrote:
Hi,
I have a httpS-client and try to load www.verisign.com. I get the error
during certificate
verification: “20 (unable to get local issuer certificate)”
The same error code was when I used s_client
root CA should I add?
Regards,
Vladimir.
--
From: Joshua Bowman
Sent: Tuesday, June 05, 2012 8:48 AM
To: openssl-users@openssl.org
Subject: Re: Verify return code: 20 (unable to get local issuer certificate)
for www.verisign.com
Hi Vladimir
, 2012 8:48 AM
To: openssl-users@openssl.org
Subject: Re: Verify return code: 20 (unable to get local issuer certificate)
for www.verisign.com
Hi Vladimir,
Use the actual root CA instead (i:/C=US/O=VeriSign, Inc./OU=Class 3 Public
Primary Certification
Authority) and you'll see it works
.
--
From: Joshua Bowman
Sent: Tuesday, June 05, 2012 8:48 AM
To: openssl-users@openssl.org
Subject: Re: Verify return code: 20 (unable to get local issuer certificate)
for www.verisign.com
Hi Vladimir,
Use the actual root CA instead (i:/C=US/O
Dr. Henson,
I installed the Apache 2.2.22/OpenSSL 1.0.1a bundle and then put OpenSSL 1.0.0i
on top of that.
That, in conjunction with adding the root cert to the store for those users
with 6-layer cert chains, did the trick! All the users can now access the site!
This is an area I'm not very
+-+-+-+-+-+-+
-Original Message-
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Dr. Stephen Henson
Sent: Monday, May 07, 2012 7:13 PM
To: openssl-users@openssl.org
Subject: Re: FAILED:unable to get local issuer certificate
On Mon, May 07
On Tue, May 08, 2012, dave.mclel...@emc.com wrote:
Hi Dr. Steve: can I get clarification on your note about the '...link
algorithm has changed...'?
Does this refer to the hash computed over a certificate which is needed when
using SSL_CTX_load_verify_locations(pCtx, NULL,
On Tue, May 08, 2012, Tammany, Curtis wrote:
If this works in 1.0.1 but not 0.9.8 I'm guessing its the name constraints
extension that is the problem which isn't supported in OpenSSL 0.9.8.
One of the intermediate certs does have a name constraint...
It is most likely critical then
Verification: Error (20): unable to get
local issuer certificate and Re-negotiation handshake failed: Not accepted by
client!?.
It ties into the problem I was having back in February (Windows 7/IE8 CAC
enabled sites) that I really never truly addressed. The production server had
Apache 2.2.22
local issuer certificate
On Tue, May 08, 2012, dave.mclel...@emc.com wrote:
Hi Dr. Steve: can I get clarification on your note about the '...link
algorithm has changed...'?
Does this refer to the hash computed over a certificate which is needed when
using SSL_CTX_load_verify_locations
If this works in 1.0.1 but not 0.9.8 I'm guessing its the name constraints
extension that is the problem which isn't supported in OpenSSL 0.9.8.
One of the intermediate certs does have a name constraint...
Does the production site have any directories of trusted certificates or are
they all
: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Dr. Stephen Henson
Sent: Thursday, May 03, 2012 19:01
To: openssl-users@openssl.org
Subject: Re: FAILED:unable to get local issuer certificate
On Thu, May 03, 2012, Tammany, Curtis wrote:
Well...
If by trusted
On Mon, May 07, 2012, Tammany, Curtis wrote:
Now have added only the Common Policy CA at the top of the certs file. The
development site works for both the long chain and short chain users.
I put the cert file out on the production site and the short chain users can
access the site but
-us...@openssl.org]
On Behalf Of Dr. Stephen Henson
Sent: Thursday, May 03, 2012 19:01
To: openssl-users@openssl.org
Subject: Re: FAILED:unable to get local issuer certificate
On Thu, May 03, 2012, Tammany, Curtis wrote:
Well...
If by trusted store you mean my one cert file pointed
It sounds like some clients have the correct intermediate certificate(s)
installed and some do not.
They should select the certificate, click the view button and see if the
certificate path is complete (i.e. it says it is OK).
On systems (XP and some Win7) where the user can access the site
On Thu, May 03, 2012, Tammany, Curtis wrote:
It sounds like some clients have the correct intermediate certificate(s)
installed and some do not.
They should select the certificate, click the view button and see if the
certificate path is complete (i.e. it says it is OK).
On systems
: Thursday, May 03, 2012 12:57
To: openssl-users@openssl.org
Subject: Re: FAILED:unable to get local issuer certificate
On Thu, May 03, 2012, Tammany, Curtis wrote:
It sounds like some clients have the correct intermediate certificate(s)
installed and some do not.
They should select
: Thursday, May 03, 2012 12:57
To: openssl-users@openssl.org
Subject: Re: FAILED:unable to get local issuer certificate
On Thu, May 03, 2012, Tammany, Curtis wrote:
It sounds like some clients have the correct intermediate certificate(s)
installed and some do not.
They should select
On Thu, May 03, 2012, Tammany, Curtis wrote:
Well...
If by trusted store you mean my one cert file pointed to by
SSLCACertificateFile, then yes I added the Common Policy, SHA-1 Federal Root
CA and DoD Interoperability Root CA certs to the cert file on my development
site and increased the
- it
might work and it might not. When it doesn't work, we see the FAILED:unable
to get local issuer certificate in the log.
I'm not understanding your test. I could get them to export their certificate
(without priv. key).
Am I to run openssl verifiy -untrusted clientcert.pem? What will this tell me
. If the same client tries to access the site via Win7- it
might work and it might not. When it doesn't work, we see the FAILED:unable
to get local issuer certificate in the log.
I'm not understanding your test. I could get them to export their certificate
(without priv. key).
Am I to run
From: owner-openssl-us...@openssl.org On Behalf Of Tammany, Curtis
Sent: Friday, 27 April, 2012 09:45
To: st...@openssl.org; openssl-users@openssl.org
Subject: FAILED:unable to get local issuer certificate
We have an Apache 2.2.22/OpenSSL 1.0.1 CAC-enabled website
running on Windows (XP
%{SSL_CIPHER}x
%{SSL_CLIENT_S_DN_CN}x %{SSL_CLIENT_VERIFY}x to the CustomLog command.
When a Windows 7 user tried to access the site, we saw the following entry:
[25/Apr/2012:12:24:12 -0400] 172.16.10.94 TLSv1 - - FAILED:unable to get local
issuer certificate GET / HTTP/1.1 -
I have one certs file
I am trying to build a radius server for wifi clients.
I am using:
Free Radius Version 2.1.7
OpenSSL 0.9.8e-fips-rhe15
I have spent some time to make it work but it is not happeniong.
I am using Free Radius scripts to generate certificates but not luck.
opnessl -verbose -CAfile ca.pem server.pem
Hi,
I can't figure this out and I've been searching the net for hours, so I hope
someone can help.
I want to make an ldaps connection to a remote server, but issuing
openssl s_client -ssl3 -connect [domain]:636 -state -verify
results in: Verify return code: 20 (unable to get local issuer
s_client -ssl3 -connect [domain]:636 -state -verify
results in: Verify return code: 20 (unable to get local issuer certificate).
When I specify the -CAfile /etc/ssl/certs/AddTrust_External_CA_Root.pem it
works fine.
How can I make openssl use (trust) that CAfile automatically?
Thanks
(unable to get local issuer
certificate).
When I specify the -CAfile
/etc/ssl/certs/AddTrust_External_CA_Root.pem it works fine.
How can I make openssl use (trust) that CAfile automatically?
Thanks in advance!
Regards,
Lennart
to validate that it can communicate with my LDAP
server I get this:
root@mediawiki ~# openssl s_client -connect
domain.home.jltaylor.net:636 -cert wiki.home.jltaylor.net.pem
CONNECTED(0003)
depth=0 /CN=domain.home.jltaylor.net
verify error:num=20:unable to get local issuer
error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /CN=domain.home.jltaylor.net
verify error:num=27:certificate not trusted
verify return:1
depth=0 /CN=domain.home.jltaylor.net
verify error:num=21:unable to verify the first certificate
verify return
=kdc.xyz.com
error 20 at 0 depth lookup:unable to get local issuer certificate
The Subject and Issuer names in certificates are correct. Please let me
know the cause of error and changes required in the certificate hierarchy.
Regards,
Vinay
issuer certificate
The Subject and Issuer names in certificates are correct. Please
let me know the cause of error and changes required in the
certificate hierarchy.
Regards,
Vinay
=kdc.xyz.com
error 20 at 0 depth lookup:unable to get local issuer certificate
The Subject and Issuer names in certificates are correct. Please let me
know the cause of error and changes required in the certificate hierarchy.
Regards,
Vinay
Hi Dave, thanks for your reply but...
On Thu, Oct 21, 2010 at 7:52 PM, Dave Thompson dthomp...@prinpay.comwrote:
From: owner-openssl-us...@openssl.org On Behalf Of Ariel
Sent: Thursday, 21 October, 2010 16:34
On Thu, Oct 21, 2010 at 12:44 AM, sandeep kiran p
Hi Ariel,
If you want to avoid browsers warning, your only option is to get a
valid certificate for your users from a commercial CA. You can get them
for free from StartSSL for example (http://www.startssl.com/).
If you represent an organization, then you can try to qualify for the
: error: unable to get local issuer certificate
Hi Ariel,
If you want to avoid browsers warning, your only option is to get a
valid certificate for your users from a commercial CA. You can get them
for free from StartSSL for example (http://www.startssl.com/).
If you represent an organization
service, then this is a different
story, you will need to look at WebTrust compliance as a starting point.
-Eduardo
-Original Message- From: Mounir IDRASSI
Sent: Friday, October 22, 2010 2:26 PM
To: openssl-users@openssl.org
Subject: Re: error: unable to get local issuer certificate
.
-Eduardo
-Original Message- From: Mounir IDRASSI
Sent: Friday, October 22, 2010 2:26 PM
To: openssl-users@openssl.org
Subject: Re: error: unable to get local issuer certificate
Hi Ariel,
If you want to avoid browsers warning, your only option is to get a
valid certificate
From: owner-openssl-us...@openssl.org On Behalf Of Ariel
Sent: Friday, 22 October, 2010 13:04
On Thu, Oct 21, 2010 at 7:52 PM, Dave Thompson
dthomp...@prinpay.com wrote:
snip
Do as sandeep said. Create your own private CA with OpenSSL.
You issue
verify -CAfile combined_4.crt test1.crt
$ openssl verify -CAfile combined_5.crt test1.crt
In all the verification process I got the following output:
* test1.crt: /CN=*.mydomain.com/O=MyDomain,
Inc./OU=MyDomain/C=US/ST=State/L=City*
* error 20 at 0 depth lookup:unable to get local issuer
From: owner-openssl-us...@openssl.org On Behalf Of Ariel
Sent: Thursday, 21 October, 2010 16:34
On Thu, Oct 21, 2010 at 12:44 AM, sandeep kiran p
sandeepkir...@gmail.com wrote:
mydomain.com.crt is an End-Entity certificate and not a CA
cert. snip
So
test1.crt
$ openssl verify -CAfile combined_5.crt test1.crt
In all the verification process I got the following output:
* test1.crt: /CN=*.mydomain.com/O=MyDomain,
Inc./OU=MyDomain/C=US/ST=State/L=City*
* error 20 at 0 depth lookup:unable to get local issuer certificate*
I run the above steps
$ openssl verify -CAfile combined_5.crt test1.crt
In all the verification process I got the following output:
* test1.crt: /CN=*.mydomain.com/O=MyDomain,
Inc./OU=MyDomain/C=US/ST=State/L=City*
* error 20 at 0 depth lookup:unable to get local issuer certificate*
I run the above steps using
to get local issuer certificate*
I run the above steps using different CA files (the combined ones I
created) to sign the requests and I always get the same result :(
What I'm missing here? How can I create and issue client certificates that
can be recognized?
I'd appreciate some light here
.crt: /CN=*.mydomain.com/O=MyDomain,
Inc./OU=MyDomain/C=US/ST=State/L=City*
* error 20 at 0 depth lookup:unable to get local issuer certificate*
I run the above steps using different CA files (the combined ones I
created) to sign the requests and I always get the same result :(
What I'm
Firstly thank you for the extensive debug information
No!! Thank you very much for your quick answer/reply!!
Specifically the authority key identifier of the EE certificate is incorrectly
set, though it is set correctly for other certificates in the chain.
I've been checking the Authority
at 0 depth lookup:unable to get local
issuer certificate error (I tried everything...)
Firstly thank you for the extensive debug information
No!! Thank you very much for your quick answer/reply!!
Specifically the authority key identifier of the EE certificate is incorrectly
set, though
On Thu, Aug 26, 2010, Toms Tormo wrote:
Firstly thank you for the extensive debug information
No!! Thank you very much for your quick answer/reply!!
Specifically the authority key identifier of the EE certificate is
incorrectly
set, though it is set correctly for other certificates in the
Greetings
I'm are trying to configure apache with client authentication using some
commercial certificates, but we are getting troubles with it. In Apache
logs we can see the following error *Certificate Verification: Error
(20): unable to get local issuer certificate*
I tried to verify
On Wed, Aug 25, 2010, Toms Tormo wrote:
Honestly, I have no idea what I'm doing wrong.. I've checked all the
requirements OpenSSL needs and the certificates fulfill them all...
Could you please help me? I'm getting desperate...
Firstly thank you for the extensive debug information, all too
-root-ca_cert.pem -untrusted
../hongdiz-ca1/hongdiz-ca1_cert.pem hongdiz-router-1_cert.pem
hongdiz-router-1_cert.pem:
/C=CN/ST=Shanghai/O=Cisco/OU=IPCBU/CN=hongdiz-router-1.crdc.cisco.com
error 20 at 0 depth lookup:unable to get local issuer certificate
2. Verify hongdiz-root-ca -- hongdiz
error 20 at 0 depth lookup:unable to get local issuer certificate
2. Verify hongdiz-root-ca -- hongdiz-ca1 [OK]
[r...@hongdiz-server-1 hongdiz-router-1]# openssl verify -CAfile
../hongdiz-root-ca/hongdiz-root-ca_cert.pem ../hongdiz-ca1/hongdiz-ca1_cert.pem
../hongdiz-ca1/hongdiz-ca1_cert.pem: OK
3
error:unable to get local issuer certificate)
Date: Fri, 16 Jul 2010 14:27:05 -0400
Hi Luis:
See reply inline:
On July 16, 2010 11:05:46 am Luis Neves wrote:
snip
besides this, why I have to force httpd.conf with a SSLOCSPDefaultResponder
directive? Shouldnt the mod_ssl code discover
error:unable to get local issuer certificate)
Date: Fri, 16 Jul 2010 14:27:05 -0400
Hi Luis:
See reply inline:
On July 16, 2010 11:05:46 am Luis Neves wrote:
snip
besides this, why I have to force httpd.conf with a SSLOCSPDefaultResponder
directive? Shouldnt the mod_ssl code
Date: Thu, 15 Jul 2010 18:15:32 +0200
From: st...@openssl.org
To: openssl-users@openssl.org
Subject: Re: OCSP_basic_verify:certificate verify error (Verify error:unable
to get local issuer certificate)
On Thu, Jul 15, 2010, Luis Neves wrote:
some progress:
openssl ocsp
On Fri, Jul 16, 2010, Luis Neves wrote:
Ok, using your tip I confirmed that CA certificate is the CC0003.pem
Ive include it at the end of ca-bundle.crt, pem encoded like the others on
this file and used it as
openssl ocsp -issuer /etc/pki/tls/certs/CC0003.pem -cert
2010 13:18:16 +0200
From: st...@openssl.org
To: openssl-users@openssl.org
Subject: Re: OCSP_basic_verify:certificate verify error (Verify
error:unable to get local issuer certificate)
On Fri, Jul 16, 2010, Luis Neves wrote:
Ok, using your tip I confirmed that CA certificate
Hi Luis:
See reply inline:
On July 16, 2010 11:05:46 am Luis Neves wrote:
snip
besides this, why I have to force httpd.conf with a SSLOCSPDefaultResponder
directive? Shouldnt the mod_ssl code discover automatically the responder
address from the client certificate itself??
From your
:
error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error (Verify
error:unable t
o get local issuer certificate)
[Wed Jul 14 16:39:46.106992 2010] [error] [pid 32170] failed to verify the OCSP
response
Regards,
Luis
verify
error:ocsp_vfy.c:122:Verify error:unable to get local issuer certificate
/home/oracle/lneves.pem: unknown
This Update: Jul 15 11:16:16 2010 GMT
the Cert Status: unknown status is due to the unable to get local issuer
certificate error???
help me
CERTIFICATE-
Response Verify Failure
3537:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify
error:ocsp_vfy.c:122:Verify error:unable to get local issuer certificate
/home/oracle/lneves.pem: unknown
This Update: Jul 15 11:16:16 2010 GMT
the Cert Status: unknown status
...@openssl.org
To: openssl-users@openssl.org
Subject: Re: OCSP_basic_verify:certificate verify error (Verify
error:unable to get local issuer certificate) ERROR
On Thu, Jul 15, 2010, Luis Neves wrote:
openssl ocsp -issuer /etc/pki/tls/certs/CC0001.pem -cert
/home/oracle/lneves.pem
Extensions:
OCSP Nonce:
0410B32E193742C48C57C927C1F062AB06A5
Date: Thu, 15 Jul 2010 14:27:55 +0200
From: st...@openssl.org
To: openssl-users@openssl.org
Subject: Re: OCSP_basic_verify:certificate verify error (Verify
error:unable to get local issuer certificate
some progress:
openssl ocsp -issuer /etc/pki/tls/certs/CC0003.pem -cert
/home/oracle/lneves.pem -url http://ocsp.auc.cartaodecidadao.pt/publico/ocsp
-CAfile /etc/pki/tls/certs/CC0003.pem -resp_text
using CC0003.pem instead of C0002.pem returns GOOD (will try to check why)
but still returning
On Thu, Jul 15, 2010, Luis Neves wrote:
some progress:
openssl ocsp -issuer /etc/pki/tls/certs/CC0003.pem -cert
/home/oracle/lneves.pem -url http://ocsp.auc.cartaodecidadao.pt/publico/ocsp
-CAfile /etc/pki/tls/certs/CC0003.pem -resp_text
using CC0003.pem instead of C0002.pem returns
as
authorityInformationAccess'.
What you need to do is ensure that the CA that issued the OCSP
responder's certificate is in ca-bundle.txt. The first secton, the
Unknown, will still state 'unknown' (and you will have to ask the CA
why it's returning 'unknown status'. The 'unable to get local issuer
certificate
...@openssl.org] On Behalf Of Duncan Berriman
Sent: Thursday, July 09, 2009 3:18 PM
To: openssl-users@openssl.org
Subject: Re: unable to get local issuer certificate certificate not
trusted errors
Its likely that the certificate is not installed correctly and that
the person who installed it did not install
: unable get the local issuer
certificate???.
But, I move the some certificates??? position or delete some certificates
from
CA_AAA.pem, then I generate the two CA certificate files (Test_CA_AAA.pem
and Test.pem). I try the CA certificates files with verify command.
(openssl
verify ???CAfile
AAACertificateServices.pem???. In
Windows/Linux platform, the verify command can be valid. In MAC OS platform,
it can???t be valid.
It always show ???errcode = 20 : unable get the local issuer certificate???.
But, I move the some certificates??? position or delete some certificates from
CA_AAA.pem, then I
command can be valid. In MAC OS platform,
it can’t be valid.
It always show “errcode = 20 : unable get the local issuer certificate”.
But, I move the some certificates’ position or delete some certificates from
CA_AAA.pem, then I generate the two CA certificate files (Test_CA_AAA.pem
and Test.pem
From: owner-openssl-us...@openssl.org On Behalf Of Duncan Berriman
Sent: Wednesday, 22 April, 2009 06:20
To: openssl-users@openssl.org
Subject: RE: unable to get local issuer certificate
(cert from one server is SOMETIMES not verifying in client)
How about serialnumber? snip
Serial
)05/OU=Authenticated by VeriSign
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /1.3.6.1.4.1.311.60.2.1.3=GB/2.5.4.15=V1.0, Clause
5.(b)/serialNumber=03266266/C=GB/ST=Hampshire/L=Portsmouth/O=xt/OU=x/OU=Term
s of use at www.verisign.co.uk/rpa (c)05/OU=Authenticated
server so its possible its some sort
of cluster and I guess that might be causing the issue.
SSL_get_verify_result is returning unable to get local issuer certificate
X509_NAME_oneline (X509_get_subject_name... And X509_NAME_oneline
(X509_get_issuer_name... return identical information in either
1 - 100 of 145 matches
Mail list logo