Those two errors was unrelated although the error message was same.
[...]SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 [...] Start Time: 1411583991 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate)
Above error was issued openssl_client command. As explained by Florian Heigl, you get this error because the openssl_client need the Globalsign Root cert in /etc/ssl/certs
.
OCSP_basic_verify() failed (SSL: error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:Verify error:unable to get local issuer certificate) while requesting certificate status, responder: gv.symcd.com
For this error, it was issued by nginx ocsp routine, especially when you add ssl_stapling_verify on;
line in nginx.conf.
Here some excerpt from the documentation of ssl_stapling_verify
to explain why it throws the error
Syntax: ssl_stapling_verify on | off;
Enables or disables verification of OCSP responses by the server.
For verification to work, the certificate of the server certificate issuer, the root certificate, and all intermediate certificates should be configured as trusted using the ssl_trusted_certificate directive.
In other words, you need provide (2) Intermediate CA Bundle (RapidSSL SHA256 CA - G3) and (3) Intermediate CA Bundle (GeoTrust Global CA) to ssl_trusted_certificate
directive.
cat GeoTrustGlobalCA.crt rapidsslG3.crt > ocsp-chain.crt
and add ocsp-chain.crt
to ssl_trusted_certificate
directive.
As part of the TLS handshake a server will (if configured to require client authentication via X.509 certificates) send a certificate request back to the client. Part of this request is a list of CA certificates which the server trusts. A client is expected to send a client authentication certificate that chains to one of the CA certificates in this list.
If you think about it, it's pointless for the client to send a certificate if it can't be verified by the server, so it makes sense for the server to send the list of CA certificates it trusts. It would be inefficient for the client to send certificates to the server if the server doesn't trust them. This is especially true for a client which has many certificates - it would have to send them all in the hope that one is trusted by the server.
nginx
generates this list from the file of certificates pointed to by ssl_client_certificate
. You need to send this list or switch off ssl_verify_client
.
Also note that ssl_trusted_certificate
will verify client certificates, but the certificates in the file pointed to by this directive are not sent to the client as part of the TLS handshake. Instead, these CA certificates can be used for verifying OCSP responses when OCSP stapling is configured.
You can read about it in RFC 5246, section 7.4.4 and while you're there you can read about all the other gory details of the TLS handshake.
Best Answer
I found in Nginx souce code. the file ngx_event_openssl_stapling.c#L660:
if you config `ssl_stapling_verify` value is on, then `staple->verify` will true, next the function `OCSP_basic_verify` will use `OCSP_TRUSTOTHER ` param to verified.then, I found the OCSP_basic_verify function in
openssl
libaray, it said:the more about is here: https://meto.cc/article/what-exactly-did-ssl_stapling_verify-verify