stackoom
  简体   繁体   中英

Unable to `openssl verify' letsencrypt certificate

 原文  2018-06-11 17:28:03       ssl/ openssl/ lets-encrypt/ certbot

Question

I gererate a certificate with Letsencrypt using the Certbot container: 

$ mkdir /home/$USER/letsencrypt
$ docker run -it --rm -p 80:80 -p 443:443 -v /home/$USER/letsencrypt:/etc/letsencrypt certbot/certbot certonly --standalone --email user@example.com --agree-tos -d example.com

I navigate to the generated certificate: 

$ cd /home/$USER/letsencrypt/live/example.com

I can verify chain.pem : 

$ openssl verify chain.pem 
chain.pem: OK

And I can see what's in chain.pem : 

$ openssl x509 -noout -in chain.pem -subject -issuer
subject=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
issuer=O = Digital Signature Trust Co., CN = DST Root CA X3

I can't verify cert.pem (presumably because it needs the chain): 

$ openssl verify cert.pem
CN = example.com
error 20 at 0 depth lookup: unable to get local issuer certificate
error cert.pem: verification failed

But I also can't verify fullchain.pem either: 

$ openssl verify fullchain.pem
CN = example.com
error 20 at 0 depth lookup: unable to get local issuer certificate
error fullchain.pem: verification failed

The certificate seems to work in the browser, but is failing in curl (and an Android http client, which is the real issue): 

$ curl https://example.com
curl: (60) SSL certificate problem: unable to get local issuer certificate

I've double-checked that fullchain.pem is a concatenation of cert.pem and chain.pem .

So: I don't understand why fullchain.pem doesn't verify?

3 answers

solution1
 3 ACCPTED  2018-06-12 12:17:09

I figured this out from man verify , reading the description of untrusted . Turns out untrusted is actually how you specify the certificate chain of trust (seems counterintuitive when you put it like that).

So, the command you need to verify a Letsencrypt cert is: 

openssl verify -untrusted chain.pem cert.pem

Where cert.pem is your certificate and chain.pem is the LE intermediate cert. There's no need to use fullchain.pem for this.

solution2
 1  2018-10-30 17:54:24

I was struggling with the same issue for 3 days. But the error was a result of a configuration error in the in my Apache configuration.

I found out by Command openssl s_client -connect advertentiekracht.nl:443 returned: 

Certificate chain
 0 s:/CN=advertentiekracht.nl
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

inclusive the "Unable to get local issuer certificate"

Command : [root@srv ssl]# openssl x509 -noout -in /etc/letsencrypt/live/advertentiekracht.nl/chain.pem -subject -issuer showed the missing chain: 

subject= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3

I am certainly not familiar with openssl and certificates. There certainly can be a lot of reasons leading to "Unable to get local issuer certificate. But before you start digging like I did, check your http server configuration . For me that is Apache. I had typos in the where the SSL certificate hocus pocus is defined. The httpd toke the erroneous lines below 

        SSLCertificateFile /etc/letsencrypt/live/advertentiekracht.nl/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/advertentiekracht.nl/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf

Mind the first line SSLCertificateFile shoud be SSLCertificateChainFile, and I missed the references to the cert.pem and the chain.pem. The lines below solved my problem: 

        SSLCertificateChainFile /etc/letsencrypt/live/advertentiekracht.nl/fullchain.pem
    SSLCertificateFile /etc/letsencrypt/live/advertentiekracht.nl/cert.pem
    SSLCertificateChainFile /etc/letsencrypt/live/advertentiekracht.nl/chain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/advertentiekracht.nl/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf

Result, a complete chain: 

    Certificate chain
 0 s:/CN=advertentiekracht.nl
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

solution3
 0  2018-06-12 09:47:18

Counterintuitively, I finally got openssl verify to work by adding the root certificate to the chain. It feels like the Letsencrypt CA should already be available, so I'm not convinced this is the right thing to do (and would welcome comments).

The steps were:

  • Chrome developer tools > Security tab > View Certificate > Details tab > Select root certificate ("Builtin Object Token:DST Root CA X3")
  • Click Export, export as Base64-Encoded ASCII, Single certificate (I named it ca.pem )

Concatenate the root to the chain: 

$ ca.pem fullchain.pem > cachain.pem

Then verify: 

$ openssl verify cachain.pem
cachain.pem: OK

This feels "wrong" so I'd like to understand whether this is a false positive.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Unable to openssl verify SSL certificate OpenSSL: unable to verify the first certificate for Experian URL OpenSSL error: unable to verify the first certificate Verify server certificate OpenSSL OpenSSL use -CAFile on LetsEncrypt-Certificate OpenSSL verify: “error 20 at 0 depth lookup: unable to get local issuer certificate” between different OpenSSL versions How to verify DER certificate with openssl? openssl verify not working with GeoTrust Certificate How to verify certificate chain with openssl Ruby 2.6.6 OpenSSL 1.1.1g - certificate verify failed (unable to get local issuer certificate)
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM