A service I am using is refreshing their SSL certificate and now my connections to their service fail. They were working before the change (as in, 1 hour before the change).
Their old and new server certificates were supposed to be signed by Verisign.
How can I manually verify the certificate?
Does running it through the openssl x509 tool do it automatically?
Using openssl s_client to connect to their server, I can see the certificate they are sending during SSL handshake. Running it through the x509 tool with the -text option, I get the following issuer line:
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 International Server CA - G3
and the Subject: CN= value matches the hostname I am connecting to.
The complaints I am getting while connecting with s_client are (I've omitted the subject lines so as to not name the service):
verify error:num=20:unable to get local issuer certificate
verify return:1
verify error:num=27:certificate not trusted
verify return:1
verify error:num=21:unable to verify the first certificate
verify return:1
Can anyone advise me on how to find out why my tools do not trust this certificate?
Best Answer
I tend to like a quick pass with
curl -Iv https://www.example.com. curl will dump out the relevant SSL bits (and will use the list of CAs it has on hand).If you need to do more by hand, you can run
openssl verifywith the right options, specifically the -CApath option:My guess at your problem is that the server isn't publishing the intermediate certificate bundle. Look at https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR657 (or, more specifically, the email instructions from Verisign on how to install the certificate).