Unable to openssl verify SSL certificate

Question

What I want to do: Get a clean connection with openssl -connect to a remote site.

Site seems self signed.

What I'm getting: CONNECTED(00000003)
depth=0 CN = DC01.home.pri
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = DC01.home.pri
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = DC01.home.pri
verify error:num=21:unable to verify the first certificate
verify return:1
...
...
Verify return code: 21 (unable to verify the first certificate)

What I have tried:

echo -n | openssl s_client -connect DC01.home.pri:636 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ldapserver.pem
echo -n | openssl s_client -connect DC01.home.pri:636 -CAfile ldapserver.pem

sudo cp ldapserver.pem /etc/ssl/certs/ldapserver.pem
sudo c_rehash /etc/ssl/certs/
echo -n | openssl s_client -connect dc01.home.pri:636 -CApath /etc/ssl/certs/

I have also tried

openssl verify -CAfile /etc/ssl/certs/ldapserver.pem ldapserver.pem 
openssl verify -CApath /etc/ssl/certs/ ldapserver.pem

with the results of

ldapserver.pem: CN = DC01.home.pri
error 20 at 0 depth lookup:unable to get local issuer certificate

I have changed the CN/Hostname to guard myself. But the hostname is also added to my hosts file, in case it helps.

Censored PEM file

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            64:c7:48:64:00:00:00:00:00:d0
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: DC=pri, DC=home, CN=home-HOMECA-CA
        Validity
            Not Before: Mar  7 22:41:45 2015 GMT
            Not After : Mar  6 22:41:45 2016 GMT
        Subject: CN=DC01.home.pri
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    <CENSORED>
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            1.3.6.1.4.1.311.20.2: 
                . .D.o.m.a.i.n.C.o.n.t.r.o.l.l.e.r
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, TLS Web Server Authentication
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment
            S/MIME Capabilities: 
......0...`.H.e...*0...`.H.e...-0...`.H.e....0...`.H.e....0...+....0
..*.H..
            X509v3 Subject Alternative Name: 
                othername:<unsupported>, DNS:DC01.home.pri
            X509v3 Subject Key Identifier: 
                <CENSORED>
            X509v3 Authority Key Identifier: 
                keyid:<CENSORED>

            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:ldap:///CN=home-HOMECA-CA,CN=HOMECA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=home,DC=pri?certificateRevocationList?base?objectClass=cRLDistributionPoint
                  URI:http://homeca.home.pri/CertEnroll/home-HOMECA-CA.crl

            Authority Information Access: 
                CA Issuers - URI:ldap:///CN=home-CA-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=home,DC=pri?cACertificate?base?objectClass=certificationAuthority

    Signature Algorithm: sha1WithRSAEncryption
         <CENSORED>

Answer 1

The certificate you posted is not self-signed ; the issuer ( DC=pri, DC=home, CN=home-HOMECA-CA ) differs from the subject ( CN=DC01.home.pri ).

When validating the certificate, OpenSSL is unable to find a local certificate for the issuer (or the issuer of the first certificate in the chain received from the web server during the TLS handshake) with which to verify the signature(s).

You need to give openssl verify the issuer certificate (or have it in your trust store):

openssl verify -CApath /etc/ssl/certs/<issuer-cert>.pem