Re: [openssl-users] It reported verify error:num=20:unable to get local issuer certificate in my embedded linux device, when I used the openssl command
Hi Jakob & Michael & openssler, The openssl can work well now. I just used the date command to reset my system time. And then it can return OK value now. Although I didn't try it in the latest openssl1.1.0c. In my embedded linux device, I didn't initialize the time. And there is no RTC. This issue can be closed. Thank you for all -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] It reported verify error:num=20:unable to get local issuer certificate in my embedded linux device, when I used the openssl command
Hi Jakob & Michael & opensslers, I'm sorry to ask a stupid question. That I found when I used the openssl1.0.1f, it said the error log: --log-- /tmp # ./openssl s_client -connect curl.haxx.se:443 -CAfile ./cacert.pem CONNECTED(0003) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify error:num=9:certificate is not yet valid ///new error notBefore=Sep 30 21:12:19 2000 GMT verify return:0 --- Certificate chain 0 s:/CN=anja.haxx.se i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 i:/O=Digital Signature Trust Co./CN=DST Root CA X3 --- Server certificate -BEGIN CERTIFICATE- .. -END CERTIFICATE- subject=/CN=anja.haxx.se issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 --- No client certificate CA names sent --- SSL handshake has read 3148 bytes and written 445 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher: ECDHE-RSA-AES128-GCM-SHA256 Session-ID: FD6ABFB426CC33309DBEA4078A4D24A07D5A80A5093AB771504CEBEFDE022706 Session-ID-ctx: Master-Key: 49725D111EC25DD193FB59E485CE32D5E0F3AD6E3269FF6617B2BC4E44ED7E4CCDDC6B05D799B69EA0FF6D974C54EBDE Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: Start Time: 2002 /// time 2002 Timeout : 300 (sec) Verify return code: 9 (certificate is not yet valid) --- closed - Is this error occurred by the system clock of my platform? Actually, I didn't do anything to synchronize time in my platform(no NTP). Would this be a reason for my first issue and this issue? I'm trying to do NTP now. Thanks -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] It reported verify error:num=20:unable to get local issuer certificate in my embedded linux device, when I used the openssl command
Hi Michael & opensslers, > So: either there's more than one certificate in cacert-2016-11-02.pem, or OpenSSL on the PC is searching its default CA certificate directory in addition to cacert-2016-11-02.pem. Since we don't know what's > actually in cacert-2016-11-02.pem, we can't provide much further help. It seems there are many certificates in the cacert-2016-11-02.pem. A lot. -cacert-2016-11-02.pem GlobalSign Root CA == -BEGIN CERTIFICATE- ... -END CERTIFICATE- GlobalSign Root CA - R2 === -BEGIN CERTIFICATE- .. -END CERTIFICATE- Verisign Class 3 Public Primary Certification Authority - G3 -BEGIN CERTIFICATE- -END CERTIFICATE- Entrust.net Premium 2048 Secure Server CA = -BEGIN CERTIFICATE- ... -END CERTIFICATE- Baltimore CyberTrust Root = -BEGIN CERTIFICATE- ... -END CERTIFICATE- ..so on... -- > Note that if there are multiple certificates in cacert-2016-11-02.pem, you'll have to split them up into separate files and create the correct hash link for each one, if you want to use a certificate directory. Should I need to do this? >"< Because other people(in the internet) used this pem file, have no problem. They didn't separate it. And there are so many certificates. And is this step right ? 1. /tmp # ./openssl x509 -hash -fingerprint -noout -in /home/georgeyang/workspace/speech_code/openssl/openssl/final /certs/cacert-2016-11-02.pem 5ad8a5d6 SHA1 Fingerprint=B1:BC:96:8B:D4:F4:9D:62:2A:A8:9A:81:F2:15:01:52: A4:1D:82:9C 2. /etc/ssl/certs # ln -s /home/georgeyang/workspace/spe ech_code/openssl/openssl/final/certs/cacert-2016-11-02.pem 5ad8a5d6.0 I will split them like this later. > Did you actually capture that, or did you retype it? Because it's not valid openssl x509 output. Note that it doesn't match what you reported from the PC: In the paltform, the openssl version is 1.1.0c. And in my PC, the openssl version is 1.0.1f. Today, I have rebuild the openssl1.0.1f for my paltform again. Although it was still NG. And the log is the same as the PC now: /tmp # ./openssl x509 -subject -noout -in /home/georgeyang/workspace/ speech_code /openssl/final/openssl/certs/cacert-2016-11-02.pem subject= /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA /tmp # Thank you very much -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] It reported verify error:num=20:unable to get local issuer certificate in my embedded linux device, when I used the openssl command
Hi Jakob & openssl-er, > Just to be sure (sometimes OpenSSL checks its default -CApath even > if you specify a -CAfile) try this command on the development machine: > openssl x509 -subject -noout -in cacert.pem > Compare to the deepest value from the screenshot above. I get the log from the embedded linux device and my PC. Sorry, I don't get the deference in the platform, but there is some deference between the platform and PC. Is this help? --from embedded platform NG log-- /tmp # ./openssl x509 -subject -noout -in cacert-2016-11-02.pem subject=C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA /tmp # ./openssl s_client -connect curl.haxx.se:443 -CAfile ./cacert-2016-11-02.pem CONNECTED(0003) depth=0 CN = anja.haxx.se /always depth=0 verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = anja.haxx.se verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/CN=anja.haxx.se i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 i:/O=Digital Signature Trust Co./CN=DST Root CA X3 --- Server certificate -BEGIN CERTIFICATE- -END CERTIFICATE- subject=/CN=anja.haxx.se issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 3143 bytes and written 302 bytes Verification error: unable to verify the first certificate --- New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher: ECDHE-RSA-AES128-GCM-SHA256 Session-ID: AB3322B63747715342DB68B4D18C27F98CF84D4A0E2711719E8B96FA5DA5C1FD Session-ID-ctx: Master-Key: 240CC5C33C7185E49C74076133DF385AB0282A3C68D6D6DC3CB74D0DB845E4242F61DA09A28B544CB5B1D39FA839E6AD PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: . Start Time: 39804 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) Extended master secret: no --- closed /tmp # --from PC ok log-- georgeyang@georgeyang-virtual-machine:/mnt/hgfs/share/task/danale_task/3516a$ openssl x509 -subject -noout -in cacert-2016-11-02.pem subject= /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA georgeyang@georgeyang-virtual-machine:/mnt/hgfs/share/task/danale_task/3516a$ openssl s_client -connect curl.haxx.se:443 -CAfile ./cacert-2016-11-02.pem CONNECTED(0003) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 //depth 0,1,2/ verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = anja.haxx.se verify return:1 --- Certificate chain 0 s:/CN=anja.haxx.se i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 i:/O=Digital Signature Trust Co./CN=DST Root CA X3 --- Server certificate -BEGIN CERTIFICATE- -END CERTIFICATE- subject=/CN=anja.haxx.se issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 --- No client certificate CA names sent --- SSL handshake has read 3148 bytes and written 443 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher: ECDHE-RSA-AES128-GCM-SHA256 Session-ID: 5640820B2C49B9B2E68563DFDFC7303BE01DE69E7EB4C6C833B4F7872CD173E5 Session-ID-ctx: Master-Key: 48783D2D0E03CE5EACB7AF2577E0E2AFE4F056B191BFB2641D08E602C54BF651B9C195DCFBD2AECC2092B035848B005B Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: --- Start Time: 1481718602 Timeout : 300 (sec) Verify return code: 0 (ok) --- closed georgeyang@georgeyang-virtual-machine :/mnt/hgfs/share/task/danale_task/3516a$ thank you for your help. Thanks a lot. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] It reported verify error:num=20:unable to get local issuer certificate in my embedded linux device, when I used the openssl command
Hi Jakob & openssl-er, 1. My cross compile command is : --- #export CROSSCOMP_DIR=/home/georgeyang/workspace/hisi/hi3516a_v100/Hi3516A_SDK_V1.0.6.0/osdrv/opensource/toolchain/arm-hisiv400-linux/arm-hisiv400-linux/bin #export INSTALL_DIR=/home/georgeyang/workspace/speech_code/openssl #./Configure -DOPENSSL_NO_HEARTBEATS linux-generic32 shared --prefix=$INSTALL_DIR --openssldir=$INSTALL_DIR/openssl/final --cross-compile-prefix=$CROSSCOMP_DIR/arm-hisiv400-linux-gnueabi- Make Make install 2. This is my openssl's details. -- /tmp # ./openssl version -a OpenSSL 1.1.0c 10 Nov 2016 built on: reproducible build, date unspecified platform: linux-generic32 compiler: /home/georgeyang/workspace/hisi/hi3516a_v100/Hi3516A_SDK_V1.0.6.0/osdrv/opensource/toolchain/arm-hisiv400-linux/arm-hisiv400-linux/bin/arm-hisiv400-linux-gnueabi-gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DNDEBUG -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_NO_HEARTBEATS -DOPENSSLDIR="\"/home/georgeyang/workspace/speech_code/openssl/openssl/final\"" -DENGINESDIR="\"/home/georgeyang/workspace/speech_code/openssl/lib/engines-1.1\"" OPENSSLDIR: "/home/georgeyang/workspace/speech_code/openssl/openssl/final" ENGINESDIR: "/home/georgeyang/workspace/speech_code/openssl/lib/engines-1.1" /tmp # Is there something wrong in my parameters? -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] It reported verify error:num=20:unable to get local issuer certificate in my embedded linux device, when I used the openssl command
Hi openssl-er, > Does cacert.pem contain the CA certificate that issued the certificate for > https://curl.haxx.se ? I think the cacert.pem is right. Because, I can get the ok result in my PC by this command: > If your embedded file system does not support symlinks, you can instead > rename the PEM files to the names of the symlinks that c_rehash generates > on a more full-blown development computer. I don't know if my way is right. I do it like this: 1. In my device, I can't use the c_rehash. It said no perl. I input the command like this: /tmp # ./openssl x509 -hash -fingerprint -noout -in /home/georgeyang/workspace/s peech_code/openssl/openssl/final/certs/cacert-2016-11-02.pem 5ad8a5d6 SHA1 Fingerprint=B1:BC:96:8B:D4:F4:9D:62:2A:A8:9A:81:F2:15:01:52:A4:1D:82:9C 2. input command: /etc/ssl/certs # ln -s /home/georgeyang/workspace/speech_code/openssl/openssl/final/certs/cacert-2016-11-02.pem 5ad8a5d6.0 /etc/ssl/certs # ls -l total 511 lrwxrwxrwx1 root root88 Jan 1 06:53 5ad8a5d6.0 -> /home/georgeyang/workspace/speech_code/openssl/openssl/final/certs/cacert-2016-11-02.pem Is this right? 3. the result is still NG /tmp # ./openssl s_client -connect curl.haxx.se:443 -CApath /etc/ssl/certs/ CONNECTED(0003) depth=0 CN = anja.haxx.se verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = anja.haxx.se verify error:num=21:unable to verify the first certificate verify return:1 --- 4. NG again CONNECTED(0003) depth=0 CN = anja.haxx.se verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = anja.haxx.se verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/CN=anja.haxx.se i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 i:/O=Digital Signature Trust Co./CN=DST Root CA X3 --- Server certificate -BEGIN CERTIFICATE- --- -END CERTIFICATE- subject=/CN=anja.haxx.se issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 3143 bytes and written 302 bytes Verification error: unable to verify the first certificate --- New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher: ECDHE-RSA-AES128-GCM-SHA256 Session-ID: 3EA8329E6101B72FDA48B82E57049D637925CBC73064598B5B418270FFA5907C Session-ID-ctx: Master-Key: 61172C067AE0758A1BE71C7577B6A6E8EFD896516F602BCA30E4E369B61A4093702406403CF41FF3B9CFC2E9E76BE611 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: --- Start Time: 24915 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) Extended master secret: no --- closed Thank you :-( -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] It reported verify error:num=20:unable to get local issuer certificate in my embedded linux device, when I used the openssl command
Hi openssl-er, I'm newbie in the openssl. Recently, I ported the openssl to my embedded linux device and ran the openssl command. But there was an error occured. I had done google search a lot, but I didn't find the answer. My issue is strange, my test steps like below: 1. copy the openssl, libs, cacert.pem to the embedded linux platform. 2. run the command: /tmp #:./openssl s_client -connect curl.haxx.se:443 -CAfile /tmp/cacert.pem 3. the error log is --log CONNECTED(0003) depth=0 CN = anja.haxx.se verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = anja.haxx.se verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/CN=anja.haxx.se i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 i:/O=Digital Signature Trust Co./CN=DST Root CA X3 --- Server certificate -- 4. my openssl version -d and version is /tmp # ./openssl version OpenSSL 1.1.0c 10 Nov 2016 /tmp # ./openssl version -d OPENSSLDIR: "/home/georgeyang/workspace/speech_code/openssl/openssl/final" 5. In my PC, I found this command worked well. It could return the ok value. Although the openssl version is 1.0.1f. So I think my cacert.pem is right. 6. I also used other command like: /tmp # ./openssl s_client -connect curl.haxx.se:443 -CApath /tmp/cacert.pem /tmp # ./openssl s_client -CApath /home/georgeyang/workspace/speech_code/openssl/openssl/final/ -connect curl.haxx.se:443 /tmp # ./openssl s_client -connect curl.haxx.se:443 -servername curl.haxx.se -key /etc/ssl/private/ssl-cert-snakeoil.key -CAfile /etc/ssl/certs/cacert.pem But they are all NG. In google, they all said -CAfile or -CApath could help, But it doesn't work for me. >"< Please help Thx -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
