Ssl – Getting tlsv1 alert unknown ca:../ssl/record/rec_layer_s3.c:1528:SSL alert number 48 even though verification seems to be ok


I have a root CA which signed 2 intermediates CAs (client CA and server CA), and 2 certs (client cert which is signed by client CA and server cert which is signed by server CA). Now server has the root ca and combined server ca which is concatenation of server cert and server CA, and client has root CA and combined client cert which is concatenation of client cert and client CA.

With openssl s_client -connect <host:port> -cert combinedclientcert.pem -key clientkey.pem -CAfile rootca.pem -state -debug, I see below (just pasting the TLS related logs):

SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS read server hello
SSL_connect:SSLv3/TLS read server certificate
SSL_connect:SSLv3/TLS read server key exchange
SSL_connect:SSLv3/TLS read server certificate request
SSL_connect:SSLv3/TLS read server done
SSL_connect:SSLv3/TLS write client certificate
SSL_connect:SSLv3/TLS write client key exchange
SSL_connect:SSLv3/TLS write certificate verify
SSL_connect:SSLv3/TLS write change cipher spec
SSL_connect:SSLv3/TLS write finished
SSL3 alert read:fatal:unknown CA
SSL_connect:error in error
140052693504448:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../ssl/record/rec_layer_s3.c:1528:SSL alert number 48
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
SSL handshake has read 3390 bytes and written 2027 bytes
Verification: OK
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Master-Key: 16A63159B6A5BFB210A020396BB9E234185F70E737F9EE2F980A13AE0868C6CA223B65A841E5BCB359D8B53FC2072DE4
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1615273842
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no

read from 0x556f4a6bb800 [0x556f4a6b0d80] (8192 bytes => 0 (0x0))

Can someone help me to understand why we see /ssl/record/rec_layer_s3.c:1528:SSL alert number 48?

Best Answer

The key line in the error log is

SSL3 alert read:fatal:unknown CA

You say the server has the root CA cert, but you have to install it there as a trusted root certificate. The way to do that is to copy it into /usr/local/share/ca-certificates, then run


That will add it into the database of trusted root certs in /etc/ssl/certs, where openssl will find it. You'll need to do this on the client too. See man update-ca-certificates.