Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why do I get Verify error:unable to get local issuer certificate when I run openssl ocsp?

Tags:

ssl

openssl

ssl-certificate

client-certificates

ocsp

I'm trying to validate a client certificate on an OCSP server but it fails.

This is the command that I'm trying to run:

openssl ocsp -issuer test_ca_cert.pem -cert my_test_client_cert.pem -text -url http://demo.server.com/ocsp

This is the output:

OCSP Request Data:
...
OCSP Response Data:
....
Certificate:
...
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
Response Verify Failure
140530622551704:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:ocsp_vfy.c:138:Verify error:unable to get local issuer certificate
my_test_client_cert.pem: good
    This Update: Jan 17 15:56:46 2017 GMT

I checked that the Issuer in my client cert is the same as the one in test_ca_cert.pem.

What am I doing wrong? How can I fix this?

Thank you

like image 310
ddreian Avatar asked Jan 17 '17 16:01

ddreian

People also ask

What does it mean when OpenSSL is unable to find certificate?

Here they say: OpenSSL is unable to find a local certificate for the issuer (or the issuer of the first certificate in the chain received from the web server during the TLS handshake) with which to verify the signature (s). Not sure what that means. This error means the certificate path or chain is broken and you are missing certificate files.

How to fix “unable to get local issuer SSL certificate” error?

How to Fix “Unable to get Local Issuer SSL Certificate” Error? 1 About SSL Errors. ... 2 Reason for “Unable To Get Local Issuer Certificate” Error. ... 3 Solutions to fix “Unable To Get Local Issuer Certificate” Error. ... 4 Unidentified Self Signed SSL Certificate. ... 5 No Change in PHP.Ini (Keep SSL) More items...

What happens when OpenSSL fails to find an untrusted issuer?

Upon failing to find an untrusted issuer cert, OpenSSL switches to the trusted certificate store and continues building the chain. This process stops when an issuer is not found in the trusted store. a self-signed certificate is encountered.

What is the ‘SSL certificate problem’ in Git?

Most Git users experience the ‘SSL certificate problem: unable to get local issuer certificate’ or the ‘git SSL certificate problem unable to get local issuer certificate’ error at some point in time.

1 Answers

Using -CAfile as @pedrofb suggested worked for me, but neither with the root nor with the intermediate certificate, but with the root and the intermediate bundled together (i.e. cat root.pem intermediate.pem > bundle.pem):

openssl ocsp                              \
    -CAfile root.cert.pem                 \
    -issuer intermediate.cert.pem         \
    -cert server.cert.pem                 \
    -text                                 \    
    -url http://ocsp.example.com
like image 92
user124384 Avatar answered Sep 19 '22 18:09

user124384
Sign in to Comment

Related questions

Check fingerprints of server SSL/TLS certificates in http.NewRequest
KeyStore Explorer - Created key pair?
Looking for poco ssl websocket client example in C++ for Windows 7
Java Server, TLSv1.1 fast, TLSv1.2 extremely slow (90MByte/sec versus 4MByte/sec)
Possible to allow HTTP requests from HTTPS website?
How do I Configure Google Compute Engine to use HTTPS for nodejs server?
Android - Security with HTTPS and SSL - Unknown certificate authority - NativeCrypto Exception
Get client certificate without validation using Erlang
Mongoose SSL, connection not accepted
Disable SSL certificate verification in Scrapy
Haproxy SNI vs HTTP Host ACL check performance
Enabling SSL in Spring Boot with an embedded Tomcat 7 - FileNotFoundException and o.a.coyote.http11.Http11NioProtocol issue
CSRF django nginx with ssl from cloudflare
Setting up a Docker registry with Letsencrypt certificate
Glassfish v4 & SSL - admin no longer works
cURL: CURLOPT_CAPATH contains correct cert but doesn't work
Exception on attempt to create not self-signed certificate
Tomcat hosting multiple virtual host with multiple SSL certificate
iOS deeplink (universal Link) through sub Domain
Https POST/GET not working on Mono

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!