Hello, I'm getting the same error 20 as below for a different site. I did find out that the certificate issuer is Equifax Secure Certificate Authority. Obviously this is not one of the popular CA's such as thawte,verisign,etc. Is this my problem? If so how do I tell openssl to recognize this CA? Following is my entire error for your reference. Thanks in advance for your help.
>openssl s_client -quiet -connect 12.175.11.57:443 depth=0 /C=US/ST=Wisconsin/L=Madison/O=Integrasys/OU=Madison/CN=model.goxroads.c om verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=US/ST=Wisconsin/L=Madison/O=Integrasys/OU=Madison/CN=model.goxroads.c om verify error:num=27:certificate not trusted verify return:1 depth=0 /C=US/ST=Wisconsin/L=Madison/O=Integrasys/OU=Madison/CN=model.goxroads.c om verify error:num=21:unable to verify the first certificate verify return:1 Carlo -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Saju Paul Sent: Friday, February 01, 2008 10:39 AM To: openssl-users@openssl.org Subject: RE: " unable to get local issuer certificate" & certificate not trusted errors Importance: High who is the signer of certificate newcert.pem ? is it a self-signed certificate ? it should not be. newcert.pem should be signed by a trusted CA (thawte,verisign,godaddy etc.) or by a CA that is in google/gmail's CA repository. -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]on Behalf Of gopinath ethiraja Sent: Friday, February 01, 2008 5:11 AM To: openssl-users@openssl.org; openssl-...@openssl.org Subject: " unable to get local issuer certificate" & certificate not trusted errors I tried to connect to a server using s_client command .but i get an error stating " unable to get local issuer certificate" & also it gives certificate not trusted " how to overcome this errors C:\OpenSSL\bin>openssl s_client -connect gmail.com:443 -verify 3 -cert newcert.p em -key newkey.pem -CAfile cacert.pem -state verify depth is 3 Enter pass phrase for newkey.pem: Loading 'screen' into random state - done CONNECTED(000002D4) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA verify error:num=20:unable to get local issuer certificate verify return:1 depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA verify error:num=27:certificate not trusted verify return:1 depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA 1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIDIjCCAougAwIBAgIQeGJdG+ZuLrAZgPwP49qYUTANBgkqhkiG9w0BAQUFADBM MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg THRkLjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBDQTAeFw0wNzA1MDMxNTM0NThaFw0w ODA1MTUxNzI0MDFaMGkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh MRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRgw FgYDVQQDEw9tYWlsLmdvb2dsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ AoGBAMnUudLUhHv3cpy0A47K38oOYK9CeH93UMzH1QA/FYwwhRrcEkQjwSrddNqF RLBJMv+KWKFbMbTzMSR69VQCJJ26cKSOg95hhuIsRf6Y8MRfynWK4nfun8ubF8If LfISfrzTX8/nw8jmtL0zaNNSCZWs6UNzptkK085tRO2KoeZ5AgMBAAGjgecwgeQw KAYDVR0lBCEwHwYIKwYBBQUHAwEGCCsGAQUFBwMCBglghkgBhvhCBAEwNgYDVR0f BC8wLTAroCmgJ4YlaHR0cDovL2NybC50aGF3dGUuY29tL1RoYXd0ZVNHQ0NBLmNy bDByBggrBgEFBQcBAQRmMGQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLnRoYXd0 ZS5jb20wPgYIKwYBBQUHMAKGMmh0dHA6Ly93d3cudGhhd3RlLmNvbS9yZXBvc2l0 b3J5L1RoYXd0ZV9TR0NfQ0EuY3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEF BQADgYEA1JrSolCBCddemVIF/FzhGsN1eTFA0JwgzL+D4u65Ua+PeqzMnrG08+rQ OwzgNZPI6ld6IxVCQ2GkDU8VURk30vU26WucB+ImS+pC3ENSSmliB6U1CScu2QL4 A1p1sGdz+bOeovdw2XAOrQYMMCXT0hJZ++bTUhrijxqkaSdRePU= -----END CERTIFICATE----- subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com issuer=/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA --- No client certificate CA names sent --- SSL handshake has read 1778 bytes and written 322 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 78B1A16CBC8BFA005701E93ABC140387DEEC3CB62CB4396265BB4CD6490A9FEE Session-ID-ctx: Master-Key: 55DF03F5380E46145D0673EB66A82201810AC9E4CA82A7BD8E4DA4CCE34AB589 C9C79C560951DFF731B26A537A43DC11 Key-Arg : None Start Time: 1201860116 Timeout : 300 (sec) Verify return code: 27 (certificate not trusted) --- read:errno=0 SSL3 alert write:warning:close notify ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
