You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Arun G Nair <ar...@gmail.com> on 2006/01/10 14:20:48 UTC

[users@httpd] verify error:num=20:unable to get local issuer certificate

Hi all,
    I get this error when trying to connect to my SSL enabled site with
openssl's s_client.

"verify error:num=20:unable to get local issuer certificate"

I have purchased a CRT signed by AddTrust External Root CA through Comodo.
------------------------------------------------------------------------------------------------------------------

debian:/etc/apache# /usr/bin/openssl s_client -connect localhost:443 -cert
./ssl.crt/server.crt -key
./ssl.key/server.pem
CONNECTED(00000003)
depth=1 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
External CA Root
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/2.5.4.17=22655/ST=Virginia/L=Stephens City/2.5.4.9=Stephens
City/2.5.4.9=5395 Main Street/O=My Company Inc/OU=Sales/OU=InstantSSL/CN=
www.myco.com
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
External CA Root
 1 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
External CA Root
   i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=
http://www.usertrust.com/CN=UTN

...[snip]...

--------------------------------------------------------------------------------------------------------------------

Waiting for your replies..

Regards,
Arun

[users@httpd] Re: verify error:num=20:unable to get local issuer certificate

Posted by Joost de Heer <sa...@xs4all.nl>.

Arun G Nair wrote:
> Hi all,
>     I get this error when trying to connect to my SSL enabled site with
> openssl's s_client.
>
> "verify error:num=20:unable to get local issuer certificate"
>
> I have purchased a CRT signed by AddTrust External Root CA through Comodo.
> ------------------------------------------------------------------------------------------------------------------
>
> debian:/etc/apache# /usr/bin/openssl s_client -connect localhost:443 -cert
> ./ssl.crt/server.crt -key ./ssl.key/server.pem

You miss the -CAfile parameter, which points to a file with the public
keys of the CA's you want to trust.

Joost



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org