Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

OpenSSL unable to get local issuer Cert Return Code 20

Whenever I try to connect to Google (or any other site) using OpenSSL with the following command:

s_client -connect google.com:443 -showcerts

I get the following error:

.....

Verify return code: 20 (unable to get local issuer certificate)

I do have the right CA installed. I also tried Exporting the CA and using it with -CAfile, but I still get the same error.

I exported the CAs as PKCS#12 using certmgr.msc. Afterwards I converted them to a .pem file using:

OpenSSL> pkcs12 -in D:/Certs/RootCertsNewu.pfx -clcerts -nokeys -out D:/Certs/Roo
tCertsNew.pem

Using that I tried to connect againt:

OpenSSL> s_client -connect google.com:443 -CAfile D:\Certs\RootCertsNew.pem

But I got the same response as before. I also read, that this could have something to do with the Intermediate CA, so I created a .pem file with the CA and the intermediate CA. That didn't work either. Can someone help me?

Also somehow the verification progress seems to start with GeoTrust, not Equifax, as supposed.

OpenSSL> s_client -connect google.com:443 -showcerts -CAfile D:\Certs\google-ca.
pem
Loading 'screen' into random state - done
CONNECTED(0000017C)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
like image 736
Glasse Avatar asked Jan 16 '14 11:01

Glasse


2 Answers

Go to Google Internet Authority and download their CA file.

Next convert it from DER to PEM:

$ openssl x509 -in GIAG2.crt -inform DER -out google-ca.pem -outform PEM

Finally, perform the following:

$ openssl s_client -connect google.com:443 -showcerts -CAfile google-ca.pem

Below is a similar run for me.


$ openssl s_client -connect google.com:443 -showcerts -CAfile google-ca.pem 
CONNECTED(00000003)
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = *.google.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority G2
-----BEGIN CERTIFICATE-----
MIIHMzCCBhugAwIBAgIIRu5X4fKYZFAwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTMxMjExMTI0OTE0WhcNMTQwNDEwMDAwMDAw
WjBmMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEVMBMGA1UEAwwMKi5n
b29nbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwb9KlQfh
VnIuRWh6jz2xZSi1InIxdWluaz1RU5SmuZ+Lz+m6lGvv/P31qqNmbKvXe9eDep3R
tOxeYpRiPXmY2U1jFrQzxL0WxxrNgAxEzRvSOS5BsOtyWn75ZGSr8pDVCNGJQxq2
GTjzhAqkesIet8oW3FVIx4gfbQ2BviOrbmH5+JWC64/JGlLcSuRDkkKhNx095Yzp
tnMo1WLb9IuurvN3NgAh7meXbvwV8mPxGRBZWcU5EMQ2IRq6DtQQPGjUPP6Weg4x
dssCIfA8ffm5RznjR2N9gq6SRPNU1Wtt5+ZK1A/IVHs0PXsVnCP2WyWIFdduH7WX
jatH9fOukYWugQIDAQABo4IEADCCA/wwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMIIC1gYDVR0RBIICzTCCAsmCDCouZ29vZ2xlLmNvbYINKi5hbmRyb2lk
LmNvbYIWKi5hcHBlbmdpbmUuZ29vZ2xlLmNvbYISKi5jbG91ZC5nb29nbGUuY29t
ghYqLmdvb2dsZS1hbmFseXRpY3MuY29tggsqLmdvb2dsZS5jYYILKi5nb29nbGUu
Y2yCDiouZ29vZ2xlLmNvLmlugg4qLmdvb2dsZS5jby5qcIIOKi5nb29nbGUuY28u
dWuCDyouZ29vZ2xlLmNvbS5hcoIPKi5nb29nbGUuY29tLmF1gg8qLmdvb2dsZS5j
b20uYnKCDyouZ29vZ2xlLmNvbS5jb4IPKi5nb29nbGUuY29tLm14gg8qLmdvb2ds
ZS5jb20udHKCDyouZ29vZ2xlLmNvbS52boILKi5nb29nbGUuZGWCCyouZ29vZ2xl
LmVzggsqLmdvb2dsZS5mcoILKi5nb29nbGUuaHWCCyouZ29vZ2xlLml0ggsqLmdv
b2dsZS5ubIILKi5nb29nbGUucGyCCyouZ29vZ2xlLnB0gg8qLmdvb2dsZWFwaXMu
Y26CFCouZ29vZ2xlY29tbWVyY2UuY29tghEqLmdvb2dsZXZpZGVvLmNvbYINKi5n
c3RhdGljLmNvbYIMKi51cmNoaW4uY29tghAqLnVybC5nb29nbGUuY29tghYqLnlv
dXR1YmUtbm9jb29raWUuY29tgg0qLnlvdXR1YmUuY29tghYqLnlvdXR1YmVlZHVj
YXRpb24uY29tggsqLnl0aW1nLmNvbYILYW5kcm9pZC5jb22CBGcuY2+CBmdvby5n
bIIUZ29vZ2xlLWFuYWx5dGljcy5jb22CCmdvb2dsZS5jb22CEmdvb2dsZWNvbW1l
cmNlLmNvbYIKdXJjaGluLmNvbYIIeW91dHUuYmWCC3lvdXR1YmUuY29tghR5b3V0
dWJlZWR1Y2F0aW9uLmNvbTBoBggrBgEFBQcBAQRcMFowKwYIKwYBBQUHMAKGH2h0
dHA6Ly9wa2kuZ29vZ2xlLmNvbS9HSUFHMi5jcnQwKwYIKwYBBQUHMAGGH2h0dHA6
Ly9jbGllbnRzMS5nb29nbGUuY29tL29jc3AwHQYDVR0OBBYEFIMWsVdJifC2GE+L
sI8GP+LoQ6BgMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUSt0GFhu89mi1dvWB
trtiGrpagS8wFwYDVR0gBBAwDjAMBgorBgEEAdZ5AgUBMDAGA1UdHwQpMCcwJaAj
oCGGH2h0dHA6Ly9wa2kuZ29vZ2xlLmNvbS9HSUFHMi5jcmwwDQYJKoZIhvcNAQEF
BQADggEBADiJO0/BuDkyS5Ki2HOeHi2Hm+t7ULpW03UdTbQlqAwjhqudY++nBMjA
v0EIbEIJKrPHeedd3BAkWaSWVGDEUgJalvJ18h1EDGZVo+5MH2WabAMPlREmK+j7
5qd8E909hSM9lmdUWZ3c1lv2blIutKq9nenSChmq2m5yM11nODXHj4Gez9MDemf1
wqBOkztQorO5jslKJXup1ZsMpjko/ZGQxb2eABg6/aF1GTFLSI1llqCB12IogHHs
GMFH6rZKoSctd4+98x4qoUjQR56Rws0cK5Y9HQciL4wYC28XS57i+HTgqfa5qmVz
lv6su2jEZsHnFYYDfZ1wZEjzgd5fK5I=
-----END CERTIFICATE-----
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
-----BEGIN CERTIFICATE-----
MIIEBDCCAuygAwIBAgIDAjppMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTMwNDA1MTUxNTU1WhcNMTUwNDA0MTUxNTU1WjBJMQswCQYDVQQG
EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy
bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP
VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv
h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE
ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ
EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC
DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB+zCB+DAfBgNVHSMEGDAWgBTAephojYn7
qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wEgYD
VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwOgYDVR0fBDMwMTAvoC2g
K4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9ndGdsb2JhbC5jcmwwPQYI
KwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwOi8vZ3RnbG9iYWwtb2NzcC5n
ZW90cnVzdC5jb20wFwYDVR0gBBAwDjAMBgorBgEEAdZ5AgUBMA0GCSqGSIb3DQEB
BQUAA4IBAQA21waAESetKhSbOHezI6B1WLuxfoNCunLaHtiONgaX4PCVOzf9G0JY
/iLIa704XtE7JW4S615ndkZAkNoUyHgN7ZVm2o6Gb4ChulYylYbc3GrKBIxbf/a/
zG+FA1jDaFETzf3I93k9mTXwVqO94FntT0QJo544evZG0R0SnU++0ED8Vf4GXjza
HFa9llF7b1cq26KqltyMdMKVvvBulRP/F/A8rLIQjcxz++iPAsbw+zOzlTvjwsto
WHPbqCRiOwY1nQ2pM714A5AuTHhdUDqB1O6gyHA43LL5Z/qHQF1hwFGPa4NrzQU6
yuGnBXj8ytqU0CwIPX4WecigUCAkVDNx
-----END CERTIFICATE-----
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
-----BEGIN CERTIFICATE-----
MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw
WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE
AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m
OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu
T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c
JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR
Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz
PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm
aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM
TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g
LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO
BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv
dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB
AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL
NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W
b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
---
SSL handshake has read 4429 bytes and written 446 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 4BAFE5B7837B250D672F58EA7F457F76FD93043387CCC4875934150304F85DF5
    Session-ID-ctx: 
    Master-Key: 57CCB72C3AB87C8ED25561CC523EAB5C8A4450E3E905A61FA822C9BFF8D468C478E52E18A06CCD97F06FA89893368337
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 100800 (seconds)
    TLS session ticket:
    0000 - 8f c1 a1 ba 2f e0 02 bf-53 a9 79 87 d2 ae d4 be   ..../...S.y.....
    0010 - b7 5c f8 bc a1 69 b2 2f-d7 cb 3e b3 36 9c f5 b6   .\...i./..>.6...
    0020 - 31 4d 63 93 17 ed 43 3b-bc 9a 83 44 49 1f 78 85   1Mc...C;...DI.x.
    0030 - f1 33 11 da c2 ce bd 7c-80 67 c7 4e e1 c1 6b ff   .3.....|.g.N..k.
    0040 - 95 5f 24 ae bd 76 58 3e-12 de 14 33 33 38 f2 38   ._$..vX>...338.8
    0050 - 71 37 77 99 8d 42 49 09-21 ac d9 5e 30 82 86 f1   q7w..BI.!..^0...
    0060 - bc f8 a0 36 56 e5 72 f3-44 04 d3 81 d3 9f 65 ff   ...6V.r.D.....e.
    0070 - da a0 1f d8 6c a3 6e 03-9b 42 48 32 cc 4d e2 e1   ....l.n..BH2.M..
    0080 - 08 21 1e 47 23 76 ee 14-22 b1 21 5a 84 52 d7 e1   .!.G#v..".!Z.R..
    0090 - 6d 1c 6d fd                                       m.m.

    Start Time: 1389972014
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
DONE
like image 160
jww Avatar answered Oct 22 '22 00:10

jww


This worked for me:

openssl s_client -connect *<host>:<port>* -CApath */path/to/certs/*

I got the same error code when I tried to specify what the certificate and the key was, so I tried the above command instead and it worked. Just add your pem file to a directory and point -CApath to it.

Hope this helps.

like image 28
Kiran Avatar answered Oct 21 '22 22:10

Kiran