spacewander commented on issue #4370: URL: https://github.com/apache/apisix/issues/4370#issuecomment-856541928
> > > @spacewander @tokers , I use the certs in [https://github.com/apache/apisix/tree/master/t/certs](https://github.com/apache/apisix/tree/master/t/certs?rgh-link-date=2021-06-08T06%3A18%3A55Z), I get this error when I verify these certificates > > ```shell > $ /usr/local/openresty/openssl111/bin/openssl verify t/certs/mtls_client.crt > C = cn, ST = GuangDong, O = api7, L = ZhuHai, CN = client.apisix.dev > error 20 at 0 depth lookup: unable to get local issuer certificate > error t/certs/mtls_client.crt: verification failed > > $ /usr/local/openresty/openssl111/bin/openssl verify t/certs/mtls_server.crt > C = cn, ST = GuangDong, O = api7, L = ZhuHai, CN = admin.apisix.dev > error 20 at 0 depth lookup: unable to get local issuer certificate > error t/certs/mtls_server.crt: verification failed > > $ /usr/local/openresty/openssl111/bin/openssl verify t/certs/mtls_server.crt -CAfile /usr/local/apisix/t/certs/mtls_ca.crt > C = cn, ST = GuangDong, O = api7, L = ZhuHai, CN = admin.apisix.dev > error 20 at 0 depth lookup: unable to get local issuer certificate > error t/certs/mtls_server.crt: verification failed > Can't open -CAfile for reading, No such file or directory > 281473499807792:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('-CAfile','r') > 281473499807792:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76: > unable to load certificate > C = cn, ST = GuangDong, L = ZhuHai, O = api7, OU = ops, CN = ca.apisix.dev > error 18 at 0 depth lookup: self signed certificate > error /usr/local/apisix/t/certs/mtls_ca.crt: verification failed > > $ /usr/local/openresty/openssl111/bin/openssl verify t/certs/mtls_client.crt -CAfile /usr/local/apisix/t/certs/mtls_ca.crt > C = cn, ST = GuangDong, O = api7, L = ZhuHai, CN = client.apisix.dev > error 20 at 0 depth lookup: unable to get local issuer certificate > error t/certs/mtls_client.crt: verification failed > Can't open -CAfile for reading, No such file or directory > 281473612107824:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('-CAfile','r') > 281473612107824:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76: > unable to load certificate > C = cn, ST = GuangDong, L = ZhuHai, O = api7, OU = ops, CN = ca.apisix.dev > error 18 at 0 depth lookup: self signed certificate > error /usr/local/apisix/t/certs/mtls_ca.crt: verification failed > ``` > > a little strange, `/usr/local/apisix/t/certs/mtls_ca.crt` clearly has a certificate file > > I get the same error `unable to get local issuer certificate` as start apisix, I think this problem is related to the certificate Need to use `openssl verify -CAfile $ca $crt` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
