Helo Andy, > -----Ursprüngliche Nachricht----- > Von: Andy Pont <andy.p...@wonksw.tech> > Gesendet: Montag, 18. September 2023 19:48 > An: Tomcat Users List <users@tomcat.apache.org> > Betreff: Re: Unable to get local issuer certificate > > Thomas wrote… > > >This means, the calling program can't verify the certificate. > >Check whether all the intermediates are delivered by tomcat. > >Furthermore, the calling program must know the root-certificate of your > webserver certificate. > > If I look at a random website using 'openssl s_client -showcerts -connect’ > then I get the server certificate plus two others: > > depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 > verify return:1 > depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 > depth=0 CN = xxx.mydomain.com > > If I use the same command with the Tomcat servlet then it gives the > following: > > verify error:num=20:unable to get local issuer certificate verify return:1 > verify > error:num=21:unable to verify the first certificate verify return:1 > > The chain should be “Go Daddy Secure Certificate Authority - G2” and “Go > Daddy Root Certificate Authority - G2” according to the browser. > > My guess is that the .pfx file that Tomcat is using doesn’t include them. > > -Andy. > > ---------------------------------------------------------------------
You can check the pfx file via: keytool -list -v -storetype pkcs12 -keystore server.p12 If the file doesn’t contain the intermediate certificates, you have to add them. Don’t add the root certificate because the client has to have it anyway. You might also consider using PEM files instead of pfx files. In my opinion they are easier to handle and you don’t need additional tools to modify them. Greetings, Thomas
