Re: [openssl-users] error 20 at 0 depth lookup:unable to get local issuer certificate error

> On Jan 25, 2018, at 4:59 AM, Oleg Smelkoff wrote: > > As I tought, reason of that problem was incorrect AKID of EE-certificate, > cause AKID has to identify the issuer of the issuer, That is indeed the problem, but your statement above is not accurate. In the AKID

[openssl-users] error 20 at 0 depth lookup:unable to get local issuer certificate error

Hi All! I've encountered same problem such in this topic: http://openssl.6102.n7.nabble.com/Getting-crazy-with-quot-error-20-at-0-depth-lookup-unable-to-get-local-issuer-certificate-error-quot-td21109.html#none but it wasn't help me I have 2 chains, and try to verify EE-certificates with CApath

Re: [openssl-users] It reported verify error:num=20:unable to get local issuer certificate in my embedded linux device, when I used the openssl command

Hi Jakob & Michael & openssler, The openssl can work well now. I just used the date command to reset my system time. And then it can return OK value now. Although I didn't try it in the latest openssl1.1.0c. In my embedded linux device, I didn't initialize the time. And there is no RTC. This

Re: [openssl-users] It reported verify error:num=20:unable to get local issuer certificate in my embedded linux device, when I used the openssl command

Hi Jakob & Michael & opensslers, I'm sorry to ask a stupid question. That I found when I used the openssl1.0.1f, it said the error log: --log-- /tmp # ./openssl s_client -connect curl.haxx.se:443 -CAfile ./cacert.pem CONNECTED(0003) depth=2 O =

Re: [openssl-users] It reported verify error:num=20:unable to get local issuer certificate in my embedded linux device, when I used the openssl command

Hi Michael & opensslers, > So: either there's more than one certificate in cacert-2016-11-02.pem, or OpenSSL on the PC is searching its default CA certificate directory in addition to cacert-2016-11-02.pem. Since we don't know what's > actually in cacert-2016-11-02.pem, we can't provide much

Re: [openssl-users] It reported verify error:num=20:unable to get local issuer certificate in my embedded linux device, when I used the openssl command

> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of ?? > Sent: Wednesday, December 14, 2016 07:53 > I get the log from the embedded linux device and my PC. > Sorry, I don't get the deference in the platform, but there is some deference > between the platform and PC.

Re: [openssl-users] It reported verify error:num=20:unable to get local issuer certificate in my embedded linux device, when I used the openssl command

/ verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = anja.haxx.se verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/CN=anja.haxx.se i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 1 s:/C=US/O=

Re: [openssl-users] It reported verify error:num=20:unable to get local issuer certificate in my embedded linux device, when I used the openssl command

tmp # ./openssl s_client -connect curl.haxx.se:443 <http://curl.haxx.se:443> -CApath /etc/ssl/certs/ CONNECTED(0003) depth=0 CN = anja.haxx.se <http://anja.haxx.se> verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = anja.haxx.se <http://a

Re: [openssl-users] It reported verify error:num=20:unable to get local issuer certificate in my embedded linux device, when I used the openssl command

Hi Jakob & openssl-er, 1. My cross compile command is : --- #export CROSSCOMP_DIR=/home/georgeyang/workspace/hisi/hi3516a_v100/Hi3516A_SDK_V1.0.6.0/osdrv/opensource/toolchain/arm-hisiv400-linux/arm-hisiv400-linux/bin #export INSTALL_DIR=/home/georgeyang/workspace/speech_code/openssl

Re: [openssl-users] It reported verify error:num=20:unable to get local issuer certificate in my embedded linux device, when I used the openssl command

s_client -connect curl.haxx.se:443 -CApath /etc/ssl/certs/ CONNECTED(0003) depth=0 CN = anja.haxx.se verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = anja.haxx.se verify error:num=21:unable to verify the first certificate verify return:1 --- 4. NG again

Re: [openssl-users] It reported verify error:num=20:unable to get local issuer certificate in my embedded linux device, when I used the openssl command

log is --log CONNECTED(0003) depth=0 CN = anja.haxx.se <http://anja.haxx.se> verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = anja.haxx.se <http://anja.haxx.se> verify error:num=21:unable to verify the first certificate verify return:1 --

[openssl-users] It reported verify error:num=20:unable to get local issuer certificate in my embedded linux device, when I used the openssl command

, cacert.pem to the embedded linux platform. 2. run the command: /tmp #:./openssl s_client -connect curl.haxx.se:443 -CAfile /tmp/cacert.pem 3. the error log is --log CONNECTED(0003) depth=0 CN = anja.haxx.se verify error:num=20:unable to get local issuer certificate verify

Re: [openssl-users] [openssl-dev] [openssl.org #4166] Bug: OpenSSL 1.0.1l fails to verify SOME root CAs: error:num=20:unable to get local issuer certificate

"(c) 2006 thawte, Inc. - For authorized use only", CN = > thawte Primary Root CA > verify error:num=20:unable to get local issuer certificate > ... Despite the CN string, the certificate presented by that server on the wire is not a root certificate. See the attached chain. Issu

auth config, was Re: error 20 at 0 depth lookup:unable to get local issuer certificate

From: owner-openssl-us...@openssl.org On Behalf Of Yvonne Wambui Sent: Friday, January 10, 2014 01:44 thanks dave and martin. with all that information i think i should start the process again. Do you have some materials that have step by step process of configuring two way connections I

Re: error 20 at 0 depth lookup:unable to get local issuer certificate

I was thinking about manual verification of certificates on the command line. From what you wrote now, it seems that you are using some calls to the openssl library in a client-server application, maybe via other tools/webserver or so, and I understand that the server certificate was issued by a

Re: error 20 at 0 depth lookup:unable to get local issuer certificate

thanks martin. i made the changes and now im getting Verify return code: 19 (self signed certificate in certificate chain) is this ok, or i need code 0 On Thu, Jan 9, 2014 at 1:33 PM, Martin Hecht he...@hlrs.de wrote: I was thinking about manual verification of certificates on the command

Re: error 20 at 0 depth lookup:unable to get local issuer certificate

X509_V_OK would be code 0 19 means that the CA certificate could be found, the chain could be built and verified completely up to the CA certificate but the latter is not trusted. (see http://www.openssl.org/docs/apps/verify.html) ah, for some things to work correctly, the file name must be the

Re: error 20 at 0 depth lookup:unable to get local issuer certificate

could you please explain the last reason. On Thu, Jan 9, 2014 at 3:38 PM, Martin Hecht he...@hlrs.de wrote: X509_V_OK would be code 0 19 means that the CA certificate could be found, the chain could be built and verified completely up to the CA certificate but the latter is not trusted.

Re: error 20 at 0 depth lookup:unable to get local issuer certificate

I don't know what exactly you are doing, so it is difficult to speculate why you are receiving code 19. Some information is exchanged during establishment of the ssl connection. For example if you have a web server and a browser, the web server shows the host certificate to the browser and the

RE: error 20 at 0 depth lookup:unable to get local issuer certificate

From: owner-openssl-users On Behalf Of Martin Hecht Sent: Thursday, January 09, 2014 11:54 Generally good explanation, but a few quibbles: I don't know what exactly you are doing, so it is difficult to speculate why you are receiving code 19. Some information is exchanged during

Re: error 20 at 0 depth lookup:unable to get local issuer certificate

thanks dave and martin. with all that information i think i should start the process again. Do you have some materials that have step by step process of configuring two way connections On Fri, Jan 10, 2014 at 7:30 AM, Dave Thompson dthomp...@prinpay.comwrote: From: owner-openssl-users On

error 20 at 0 depth lookup:unable to get local issuer certificate

i get this error when verifing a non-self signed certificate. how do i make it not point to the rootCA

Re: error 20 at 0 depth lookup:unable to get local issuer certificate

On 08.01.2014 15:32, Yvonne Wambui wrote: i get this error when verifing a non-self signed certificate. how do i make it not point to the rootCA It makes no sense to verify a non-self signed certificate without the rootCA certificate. To verify such a certificate you have to provide the

Re: error 20 at 0 depth lookup:unable to get local issuer certificate

thanks martin, your response shade some light and i can now understand what im doing. Im trying to create a two way ssl connection, the problem when verifying the connection to the server, its using my RootCA instead of the server, hence throwing verification error 19. would you please advise on

Debugging cause of unable to get local issuer certificate - one cert works, one doesn't

Hi everyone, I'm hitting a unable to get local issuer certificate error on a specific SSL certificate, and I was wondering how I can best debug this? It's via NXLog which uses OpenSSL so a bit disconnected from the underlying library at the moment, and I'm not too familar with OpenSSL. I've

RE: Debugging cause of unable to get local issuer certificate - one cert works, one doesn't

[mailto:owner-openssl-us...@openssl.org] On Behalf Of James Crowley Sent: Monday, September 23, 2013 14:28 To: openssl-users@openssl.org Subject: *** Spam *** Debugging cause of unable to get local issuer certificate - one cert works, one doesn't Hi everyone, I'm hitting a unable to get local issuer

Re: Debugging cause of unable to get local issuer certificate - one cert works, one doesn't

@openssl.org *Subject:* *** Spam *** Debugging cause of unable to get local issuer certificate - one cert works, one doesn't ** ** Hi everyone, ** ** I'm hitting a unable to get local issuer certificate error on a specific SSL certificate, and I was wondering how I can best debug

Re: Verify return code: 20 (unable to get local issuer certificate) for www.verisign.com

, the top root CA. Regards. -- From: Joshua Bowman Sent: Tuesday, June 05, 2012 9:48 AM To: openssl-users@openssl.org Subject: Re: Verify return code: 20 (unable to get local issuer certificate

Re: Verify return code: 20 (unable to get local issuer certificate) for www.verisign.com

cert so they don't work. Joshua Bowman On 6/4/2012 9:07 PM, Vladimir Belov wrote: Hi, I have a httpS-client and try to load www.verisign.com. I get the error during certificate verification: “20 (unable to get local issuer certificate)” The same error code was when I used s_client

Re: Verify return code: 20 (unable to get local issuer certificate) for www.verisign.com

root CA should I add? Regards, Vladimir. -- From: Joshua Bowman Sent: Tuesday, June 05, 2012 8:48 AM To: openssl-users@openssl.org Subject: Re: Verify return code: 20 (unable to get local issuer certificate) for www.verisign.com Hi Vladimir

Re: Verify return code: 20 (unable to get local issuer certificate) for www.verisign.com

, 2012 8:48 AM To: openssl-users@openssl.org Subject: Re: Verify return code: 20 (unable to get local issuer certificate) for www.verisign.com Hi Vladimir, Use the actual root CA instead (i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority) and you'll see it works

Re: Verify return code: 20 (unable to get local issuer certificate) for www.verisign.com

. -- From: Joshua Bowman Sent: Tuesday, June 05, 2012 8:48 AM To: openssl-users@openssl.org Subject: Re: Verify return code: 20 (unable to get local issuer certificate) for www.verisign.com Hi Vladimir, Use the actual root CA instead (i:/C=US/O

RE: FAILED:unable to get local issuer certificate

Dr. Henson, I installed the Apache 2.2.22/OpenSSL 1.0.1a bundle and then put OpenSSL 1.0.0i on top of that. That, in conjunction with adding the root cert to the store for those users with 6-layer cert chains, did the trick! All the users can now access the site! This is an area I'm not very

RE: FAILED:unable to get local issuer certificate

+-+-+-+-+-+-+ -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Monday, May 07, 2012 7:13 PM To: openssl-users@openssl.org Subject: Re: FAILED:unable to get local issuer certificate On Mon, May 07

Re: FAILED:unable to get local issuer certificate

On Tue, May 08, 2012, dave.mclel...@emc.com wrote: Hi Dr. Steve: can I get clarification on your note about the '...link algorithm has changed...'? Does this refer to the hash computed over a certificate which is needed when using SSL_CTX_load_verify_locations(pCtx, NULL,

Re: FAILED:unable to get local issuer certificate

On Tue, May 08, 2012, Tammany, Curtis wrote: If this works in 1.0.1 but not 0.9.8 I'm guessing its the name constraints extension that is the problem which isn't supported in OpenSSL 0.9.8. One of the intermediate certs does have a name constraint... It is most likely critical then

RE: FAILED:unable to get local issuer certificate

Verification: Error (20): unable to get local issuer certificate and Re-negotiation handshake failed: Not accepted by client!?. It ties into the problem I was having back in February (Windows 7/IE8 CAC enabled sites) that I really never truly addressed. The production server had Apache 2.2.22

RE: FAILED:unable to get local issuer certificate

local issuer certificate On Tue, May 08, 2012, dave.mclel...@emc.com wrote: Hi Dr. Steve: can I get clarification on your note about the '...link algorithm has changed...'? Does this refer to the hash computed over a certificate which is needed when using SSL_CTX_load_verify_locations

RE: FAILED:unable to get local issuer certificate

If this works in 1.0.1 but not 0.9.8 I'm guessing its the name constraints extension that is the problem which isn't supported in OpenSSL 0.9.8. One of the intermediate certs does have a name constraint... Does the production site have any directories of trusted certificates or are they all

RE: FAILED:unable to get local issuer certificate

: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Thursday, May 03, 2012 19:01 To: openssl-users@openssl.org Subject: Re: FAILED:unable to get local issuer certificate On Thu, May 03, 2012, Tammany, Curtis wrote: Well... If by trusted

Re: FAILED:unable to get local issuer certificate

On Mon, May 07, 2012, Tammany, Curtis wrote: Now have added only the Common Policy CA at the top of the certs file. The development site works for both the long chain and short chain users. I put the cert file out on the production site and the short chain users can access the site but

RE: FAILED:unable to get local issuer certificate

-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Thursday, May 03, 2012 19:01 To: openssl-users@openssl.org Subject: Re: FAILED:unable to get local issuer certificate On Thu, May 03, 2012, Tammany, Curtis wrote: Well... If by trusted store you mean my one cert file pointed

RE: FAILED:unable to get local issuer certificate

It sounds like some clients have the correct intermediate certificate(s) installed and some do not. They should select the certificate, click the view button and see if the certificate path is complete (i.e. it says it is OK). On systems (XP and some Win7) where the user can access the site

Re: FAILED:unable to get local issuer certificate

On Thu, May 03, 2012, Tammany, Curtis wrote: It sounds like some clients have the correct intermediate certificate(s) installed and some do not. They should select the certificate, click the view button and see if the certificate path is complete (i.e. it says it is OK). On systems

RE: FAILED:unable to get local issuer certificate

: Thursday, May 03, 2012 12:57 To: openssl-users@openssl.org Subject: Re: FAILED:unable to get local issuer certificate On Thu, May 03, 2012, Tammany, Curtis wrote: It sounds like some clients have the correct intermediate certificate(s) installed and some do not. They should select

RE: FAILED:unable to get local issuer certificate

: Thursday, May 03, 2012 12:57 To: openssl-users@openssl.org Subject: Re: FAILED:unable to get local issuer certificate On Thu, May 03, 2012, Tammany, Curtis wrote: It sounds like some clients have the correct intermediate certificate(s) installed and some do not. They should select

Re: FAILED:unable to get local issuer certificate

On Thu, May 03, 2012, Tammany, Curtis wrote: Well... If by trusted store you mean my one cert file pointed to by SSLCACertificateFile, then yes I added the Common Policy, SHA-1 Federal Root CA and DoD Interoperability Root CA certs to the cert file on my development site and increased the

RE: FAILED:unable to get local issuer certificate

- it might work and it might not. When it doesn't work, we see the FAILED:unable to get local issuer certificate in the log. I'm not understanding your test. I could get them to export their certificate (without priv. key). Am I to run openssl verifiy -untrusted clientcert.pem? What will this tell me

Re: FAILED:unable to get local issuer certificate

. If the same client tries to access the site via Win7- it might work and it might not. When it doesn't work, we see the FAILED:unable to get local issuer certificate in the log. I'm not understanding your test. I could get them to export their certificate (without priv. key). Am I to run

RE: FAILED:unable to get local issuer certificate

From: owner-openssl-us...@openssl.org On Behalf Of Tammany, Curtis Sent: Friday, 27 April, 2012 09:45 To: st...@openssl.org; openssl-users@openssl.org Subject: FAILED:unable to get local issuer certificate We have an Apache 2.2.22/OpenSSL 1.0.1 CAC-enabled website running on Windows (XP

FAILED:unable to get local issuer certificate

%{SSL_CIPHER}x %{SSL_CLIENT_S_DN_CN}x %{SSL_CLIENT_VERIFY}x to the CustomLog command. When a Windows 7 user tried to access the site, we saw the following entry: [25/Apr/2012:12:24:12 -0400] 172.16.10.94 TLSv1 - - FAILED:unable to get local issuer certificate GET / HTTP/1.1 - I have one certs file

Freeradius Open SSL: unable to get local issuer certificate

I am trying to build a radius server for wifi clients. I am using: Free Radius Version 2.1.7 OpenSSL 0.9.8e-fips-rhe15 I have spent some time to make it work but it is not happeniong. I am using Free Radius scripts to generate certificates but not luck. opnessl -verbose -CAfile ca.pem server.pem

Verify return code: 20 (unable to get local issuer certificate)

Hi, I can't figure this out and I've been searching the net for hours, so I hope someone can help. I want to make an ldaps connection to a remote server, but issuing openssl s_client -ssl3 -connect [domain]:636 -state -verify results in: Verify return code: 20 (unable to get local issuer

Re:Verify return code: 20 (unable to get local issuer certificate)

s_client -ssl3 -connect [domain]:636 -state -verify results in: Verify return code: 20 (unable to get local issuer certificate). When I specify the -CAfile /etc/ssl/certs/AddTrust_External_CA_Root.pem it works fine. How can I make openssl use (trust) that CAfile automatically? Thanks

Re: Verify return code: 20 (unable to get local issuer certificate)

(unable to get local issuer certificate). When I specify the -CAfile /etc/ssl/certs/AddTrust_External_CA_Root.pem it works fine. How can I make openssl use (trust) that CAfile automatically? Thanks in advance! Regards, Lennart

Re: unable to get local issuer certificate

to validate that it can communicate with my LDAP server I get this: root@mediawiki ~# openssl s_client -connect domain.home.jltaylor.net:636 -cert wiki.home.jltaylor.net.pem CONNECTED(0003) depth=0 /CN=domain.home.jltaylor.net verify error:num=20:unable to get local issuer

unable to get local issuer certificate

error:num=20:unable to get local issuer certificate verify return:1 depth=0 /CN=domain.home.jltaylor.net verify error:num=27:certificate not trusted verify return:1 depth=0 /CN=domain.home.jltaylor.net verify error:num=21:unable to verify the first certificate verify return

Re: Error 20 at 0 depth lookup:unable to get local issuer certificate

=kdc.xyz.com error 20 at 0 depth lookup:unable to get local issuer certificate The Subject and Issuer names in certificates are correct. Please let me know the cause of error and changes required in the certificate hierarchy. Regards, Vinay

Re: Error 20 at 0 depth lookup:unable to get local issuer certificate

issuer certificate The Subject and Issuer names in certificates are correct. Please let me know the cause of error and changes required in the certificate hierarchy. Regards, Vinay

Error 20 at 0 depth lookup:unable to get local issuer certificate

=kdc.xyz.com error 20 at 0 depth lookup:unable to get local issuer certificate The Subject and Issuer names in certificates are correct. Please let me know the cause of error and changes required in the certificate hierarchy. Regards, Vinay

Re: error: unable to get local issuer certificate

Hi Dave, thanks for your reply but... On Thu, Oct 21, 2010 at 7:52 PM, Dave Thompson dthomp...@prinpay.comwrote: From: owner-openssl-us...@openssl.org On Behalf Of Ariel Sent: Thursday, 21 October, 2010 16:34 On Thu, Oct 21, 2010 at 12:44 AM, sandeep kiran p

Re: error: unable to get local issuer certificate

Hi Ariel, If you want to avoid browsers warning, your only option is to get a valid certificate for your users from a commercial CA. You can get them for free from StartSSL for example (http://www.startssl.com/). If you represent an organization, then you can try to qualify for the

Re: error: unable to get local issuer certificate

: error: unable to get local issuer certificate Hi Ariel, If you want to avoid browsers warning, your only option is to get a valid certificate for your users from a commercial CA. You can get them for free from StartSSL for example (http://www.startssl.com/). If you represent an organization

Re: error: unable to get local issuer certificate

service, then this is a different story, you will need to look at WebTrust compliance as a starting point. -Eduardo -Original Message- From: Mounir IDRASSI Sent: Friday, October 22, 2010 2:26 PM To: openssl-users@openssl.org Subject: Re: error: unable to get local issuer certificate

Re: error: unable to get local issuer certificate

. -Eduardo -Original Message- From: Mounir IDRASSI Sent: Friday, October 22, 2010 2:26 PM To: openssl-users@openssl.org Subject: Re: error: unable to get local issuer certificate Hi Ariel, If you want to avoid browsers warning, your only option is to get a valid certificate

RE: error: unable to get local issuer certificate

From: owner-openssl-us...@openssl.org On Behalf Of Ariel Sent: Friday, 22 October, 2010 13:04 On Thu, Oct 21, 2010 at 7:52 PM, Dave Thompson dthomp...@prinpay.com wrote: snip Do as sandeep said. Create your own private CA with OpenSSL. You issue

Re: error: unable to get local issuer certificate

verify -CAfile combined_4.crt test1.crt $ openssl verify -CAfile combined_5.crt test1.crt In all the verification process I got the following output: * test1.crt: /CN=*.mydomain.com/O=MyDomain, Inc./OU=MyDomain/C=US/ST=State/L=City* * error 20 at 0 depth lookup:unable to get local issuer

RE: error: unable to get local issuer certificate

From: owner-openssl-us...@openssl.org On Behalf Of Ariel Sent: Thursday, 21 October, 2010 16:34 On Thu, Oct 21, 2010 at 12:44 AM, sandeep kiran p sandeepkir...@gmail.com wrote: mydomain.com.crt is an End-Entity certificate and not a CA cert. snip So

error: unable to get local issuer certificate

test1.crt $ openssl verify -CAfile combined_5.crt test1.crt In all the verification process I got the following output: * test1.crt: /CN=*.mydomain.com/O=MyDomain, Inc./OU=MyDomain/C=US/ST=State/L=City* * error 20 at 0 depth lookup:unable to get local issuer certificate* I run the above steps

Re: error: unable to get local issuer certificate

$ openssl verify -CAfile combined_5.crt test1.crt In all the verification process I got the following output: * test1.crt: /CN=*.mydomain.com/O=MyDomain, Inc./OU=MyDomain/C=US/ST=State/L=City* * error 20 at 0 depth lookup:unable to get local issuer certificate* I run the above steps using

Re: error: unable to get local issuer certificate

to get local issuer certificate* I run the above steps using different CA files (the combined ones I created) to sign the requests and I always get the same result :( What I'm missing here? How can I create and issue client certificates that can be recognized? I'd appreciate some light here

Re: error: unable to get local issuer certificate

.crt: /CN=*.mydomain.com/O=MyDomain, Inc./OU=MyDomain/C=US/ST=State/L=City* * error 20 at 0 depth lookup:unable to get local issuer certificate* I run the above steps using different CA files (the combined ones I created) to sign the requests and I always get the same result :( What I'm

Re: Getting crazy with error 20 at 0 depth lookup:unable to get local issuer certificate error (I tried everything...)

Firstly thank you for the extensive debug information No!! Thank you very much for your quick answer/reply!! Specifically the authority key identifier of the EE certificate is incorrectly set, though it is set correctly for other certificates in the chain. I've been checking the Authority

RE: Getting crazy with error 20 at 0 depth lookup:unable to get local issuer certificate error (I tried everything...)

at 0 depth lookup:unable to get local issuer certificate error (I tried everything...) Firstly thank you for the extensive debug information No!! Thank you very much for your quick answer/reply!! Specifically the authority key identifier of the EE certificate is incorrectly set, though

Re: Getting crazy with error 20 at 0 depth lookup:unable to get local issuer certificate error (I tried everything...)

On Thu, Aug 26, 2010, Toms Tormo wrote: Firstly thank you for the extensive debug information No!! Thank you very much for your quick answer/reply!! Specifically the authority key identifier of the EE certificate is incorrectly set, though it is set correctly for other certificates in the

Getting crazy with error 20 at 0 depth lookup:unable to get local issuer certificate error (I tried everything...)

Greetings I'm are trying to configure apache with client authentication using some commercial certificates, but we are getting troubles with it. In Apache logs we can see the following error *Certificate Verification: Error (20): unable to get local issuer certificate* I tried to verify

Re: Getting crazy with error 20 at 0 depth lookup:unable to get local issuer certificate error (I tried everything...)

On Wed, Aug 25, 2010, Toms Tormo wrote: Honestly, I have no idea what I'm doing wrong.. I've checked all the requirements OpenSSL needs and the certificates fulfill them all... Could you please help me? I'm getting desperate... Firstly thank you for the extensive debug information, all too

Re: Help on chain certification verify: unable to get local issuer certificate

-root-ca_cert.pem -untrusted ../hongdiz-ca1/hongdiz-ca1_cert.pem hongdiz-router-1_cert.pem hongdiz-router-1_cert.pem: /C=CN/ST=Shanghai/O=Cisco/OU=IPCBU/CN=hongdiz-router-1.crdc.cisco.com error 20 at 0 depth lookup:unable to get local issuer certificate 2. Verify hongdiz-root-ca -- hongdiz

Help on chain certification verify: unable to get local issuer certificate

error 20 at 0 depth lookup:unable to get local issuer certificate 2. Verify hongdiz-root-ca -- hongdiz-ca1 [OK] [r...@hongdiz-server-1 hongdiz-router-1]# openssl verify -CAfile ../hongdiz-root-ca/hongdiz-root-ca_cert.pem ../hongdiz-ca1/hongdiz-ca1_cert.pem ../hongdiz-ca1/hongdiz-ca1_cert.pem: OK 3

RE: OCSP_basic_verify:certificate verify error ( Verify error:unable to get local issuer certificate)

error:unable to get local issuer certificate) Date: Fri, 16 Jul 2010 14:27:05 -0400 Hi Luis: See reply inline: On July 16, 2010 11:05:46 am Luis Neves wrote: snip besides this, why I have to force httpd.conf with a SSLOCSPDefaultResponder directive? Shouldnt the mod_ssl code discover

RE: OCSP_basic_verify:certificate verify error ( Verify error:unable to get local issuer certificate)

error:unable to get local issuer certificate) Date: Fri, 16 Jul 2010 14:27:05 -0400 Hi Luis: See reply inline: On July 16, 2010 11:05:46 am Luis Neves wrote: snip besides this, why I have to force httpd.conf with a SSLOCSPDefaultResponder directive? Shouldnt the mod_ssl code

RE: OCSP_basic_verify:certificate verify error (Verify error:unable to get local issuer certificate)

Date: Thu, 15 Jul 2010 18:15:32 +0200 From: st...@openssl.org To: openssl-users@openssl.org Subject: Re: OCSP_basic_verify:certificate verify error (Verify error:unable to get local issuer certificate) On Thu, Jul 15, 2010, Luis Neves wrote: some progress: openssl ocsp

Re: OCSP_basic_verify:certificate verify error (Verify error:unable to get local issuer certificate)

On Fri, Jul 16, 2010, Luis Neves wrote: Ok, using your tip I confirmed that CA certificate is the CC0003.pem Ive include it at the end of ca-bundle.crt, pem encoded like the others on this file and used it as openssl ocsp -issuer /etc/pki/tls/certs/CC0003.pem -cert

RE: OCSP_basic_verify:certificate verify error (Verify error:unable to get local issuer certificate)

2010 13:18:16 +0200 From: st...@openssl.org To: openssl-users@openssl.org Subject: Re: OCSP_basic_verify:certificate verify error (Verify error:unable to get local issuer certificate) On Fri, Jul 16, 2010, Luis Neves wrote: Ok, using your tip I confirmed that CA certificate

Re: OCSP_basic_verify:certificate verify error ( Verify error:unable to get local issuer certificate)

Hi Luis: See reply inline: On July 16, 2010 11:05:46 am Luis Neves wrote: snip besides this, why I have to force httpd.conf with a SSLOCSPDefaultResponder directive? Shouldnt the mod_ssl code discover automatically the responder address from the client certificate itself?? From your

OCSP_basic_verify:certificate verify error (Verify error:unable to get local issuer certificate) ERROR

: error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error (Verify error:unable t o get local issuer certificate) [Wed Jul 14 16:39:46.106992 2010] [error] [pid 32170] failed to verify the OCSP response Regards, Luis

RE: OCSP_basic_verify:certificate verify error (Verify error:unable to get local issuer certificate) ERROR

verify error:ocsp_vfy.c:122:Verify error:unable to get local issuer certificate /home/oracle/lneves.pem: unknown This Update: Jul 15 11:16:16 2010 GMT the Cert Status: unknown status is due to the unable to get local issuer certificate error??? help me

Re: OCSP_basic_verify:certificate verify error (Verify error:unable to get local issuer certificate) ERROR

CERTIFICATE- Response Verify Failure 3537:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:ocsp_vfy.c:122:Verify error:unable to get local issuer certificate /home/oracle/lneves.pem: unknown This Update: Jul 15 11:16:16 2010 GMT the Cert Status: unknown status

RE: OCSP_basic_verify:certificate verify error (Verify error:unable to get local issuer certificate) ERROR

...@openssl.org To: openssl-users@openssl.org Subject: Re: OCSP_basic_verify:certificate verify error (Verify error:unable to get local issuer certificate) ERROR On Thu, Jul 15, 2010, Luis Neves wrote: openssl ocsp -issuer /etc/pki/tls/certs/CC0001.pem -cert /home/oracle/lneves.pem

RE: OCSP_basic_verify:certificate verify error (Verify error:unable to get local issuer certificate) ERROR

Extensions: OCSP Nonce: 0410B32E193742C48C57C927C1F062AB06A5 Date: Thu, 15 Jul 2010 14:27:55 +0200 From: st...@openssl.org To: openssl-users@openssl.org Subject: Re: OCSP_basic_verify:certificate verify error (Verify error:unable to get local issuer certificate

RE: OCSP_basic_verify:certificate verify error (Verify error:unable to get local issuer certificate)

some progress: openssl ocsp -issuer /etc/pki/tls/certs/CC0003.pem -cert /home/oracle/lneves.pem -url http://ocsp.auc.cartaodecidadao.pt/publico/ocsp -CAfile /etc/pki/tls/certs/CC0003.pem -resp_text using CC0003.pem instead of C0002.pem returns GOOD (will try to check why) but still returning

Re: OCSP_basic_verify:certificate verify error (Verify error:unable to get local issuer certificate)

On Thu, Jul 15, 2010, Luis Neves wrote: some progress: openssl ocsp -issuer /etc/pki/tls/certs/CC0003.pem -cert /home/oracle/lneves.pem -url http://ocsp.auc.cartaodecidadao.pt/publico/ocsp -CAfile /etc/pki/tls/certs/CC0003.pem -resp_text using CC0003.pem instead of C0002.pem returns

Re: OCSP_basic_verify:certificate verify error (Verify error:unable to get local issuer certificate) ERROR

as authorityInformationAccess'. What you need to do is ensure that the CA that issued the OCSP responder's certificate is in ca-bundle.txt. The first secton, the Unknown, will still state 'unknown' (and you will have to ask the CA why it's returning 'unknown status'. The 'unable to get local issuer certificate

RE: unable to get local issuer certificate certificate not trusted errors

...@openssl.org] On Behalf Of Duncan Berriman Sent: Thursday, July 09, 2009 3:18 PM To: openssl-users@openssl.org Subject: Re: unable to get local issuer certificate certificate not trusted errors Its likely that the certificate is not installed correctly and that the person who installed it did not install

Re: errcode = 20 : unable get the local issuer certificate

: unable get the local issuer certificate???. But, I move the some certificates??? position or delete some certificates from CA_AAA.pem, then I generate the two CA certificate files (Test_CA_AAA.pem and Test.pem). I try the CA certificates files with verify command. (openssl verify ???CAfile

Re: errcode = 20 : unable get the local issuer certificate

AAACertificateServices.pem???. In Windows/Linux platform, the verify command can be valid. In MAC OS platform, it can???t be valid. It always show ???errcode = 20 : unable get the local issuer certificate???. But, I move the some certificates??? position or delete some certificates from CA_AAA.pem, then I

[Openssl Verify issue in MAC OS]errcode = 20 : unable get the local issuer certificate

command can be valid. In MAC OS platform, it can’t be valid. It always show “errcode = 20 : unable get the local issuer certificate”. But, I move the some certificates’ position or delete some certificates from CA_AAA.pem, then I generate the two CA certificate files (Test_CA_AAA.pem and Test.pem

RE: unable to get local issuer certificate

From: owner-openssl-us...@openssl.org On Behalf Of Duncan Berriman Sent: Wednesday, 22 April, 2009 06:20 To: openssl-users@openssl.org Subject: RE: unable to get local issuer certificate (cert from one server is SOMETIMES not verifying in client) How about serialnumber? snip Serial

RE: unable to get local issuer certificate

)05/OU=Authenticated by VeriSign verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /1.3.6.1.4.1.311.60.2.1.3=GB/2.5.4.15=V1.0, Clause 5.(b)/serialNumber=03266266/C=GB/ST=Hampshire/L=Portsmouth/O=xt/OU=x/OU=Term s of use at www.verisign.co.uk/rpa (c)05/OU=Authenticated

unable to get local issuer certificate

server so its possible its some sort of cluster and I guess that might be causing the issue. SSL_get_verify_result is returning unable to get local issuer certificate X509_NAME_oneline (X509_get_subject_name... And X509_NAME_oneline (X509_get_issuer_name... return identical information in either

  1   2   >