Ssl – openssl verify error 2 at 1 depth lookup:unable to get issuer certificate

opensslsslssl-certificate

Openssl is telling me it can't verify my concatenated cert. I downloaded the intermediate cert from the issuer (AlphaSSL) and concatenated that with my domain cert I purchased (domain cert first, then the AlphaSSL intermediate cert) as instructed by google app engine. I then followed their instructions for verifying:

openssl verify -verbose -CAfile mycert_cat.crt mycert_cat.crt

I tried to verify using the above and received this error message:

mycert_cat.crt: /C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2
error 2 at 1 depth lookup:unable to get issuer certificate

I googled it, but the results said I forgot to append the cert to the file. I did not.

What else can cause this issue?

Best Answer

To check certificate with openssl you need all intermediate certificates, including root one. And best practice tell will be wise to separate files: put the certificate in one file and put intermediate and root certificates in other file.

Related Solutions

How to debug certificate chains with OpenSSL

Be sure to include all the intermediate certificates and see that they are up to date. If test.crt is in fact a file containing only /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root, this is the correct approach. You can include the root as well, and most clients will accept such chains, but a few will choke.

In general it's best practice to include all the certificates from yours to the last one before the root, in case a client doesn't have the last intermediate.

It's also possible that test.crt contains things other than the correct chain. OpenSSL doesn't do partial chain validation by default (in older versions, it doesn't do it at all). When operating in this mode it doesn't care what is in /etc/ssl/certs.

Alternatively, you may be presenting an expired intermediary certificate. CAs often recertify their intermediates with the same key; if they do that, just download the updated intermediate CA certificate and replace the expired one in your chain.

Finally, with openssl s_client, you need to specify what it is validating against. For example, use the option -CApath /etc/ssl/certs or -CAfile your_ca.crt. For the first option use your system's trust store, and for the second option specify the root CA certificate.

Nginx – OCSP validation – unable to get local issuer certificate

Those two errors was unrelated although the error message was same.

[...]SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 [...] Start Time: 1411583991 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate)

Above error was issued openssl_client command. As explained by Florian Heigl, you get this error because the openssl_client need the Globalsign Root cert in /etc/ssl/certs.

OCSP_basic_verify() failed (SSL: error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:Verify error:unable to get local issuer certificate) while requesting certificate status, responder: gv.symcd.com

For this error, it was issued by nginx ocsp routine, especially when you add ssl_stapling_verify on; line in nginx.conf.

Here some excerpt from the documentation of ssl_stapling_verify to explain why it throws the error

Syntax: ssl_stapling_verify on | off;

Enables or disables verification of OCSP responses by the server.

For verification to work, the certificate of the server certificate issuer, the root certificate, and all intermediate certificates should be configured as trusted using the ssl_trusted_certificate directive.

In other words, you need provide (2) Intermediate CA Bundle (RapidSSL SHA256 CA - G3) and (3) Intermediate CA Bundle (GeoTrust Global CA) to ssl_trusted_certificate directive.

cat GeoTrustGlobalCA.crt rapidsslG3.crt > ocsp-chain.crt

and add ocsp-chain.crt to ssl_trusted_certificate directive.

Best Answer

Related Solutions

How to debug certificate chains with OpenSSL

Nginx – OCSP validation – unable to get local issuer certificate

Related Topic