"Verify return code: 21 (unable to verify the first certificate)"

7
votes

I am having trouble with openssl complaining about not being able to validate locally Issued Cert where I have the CA chain as well. I have the locally issued cert in (PEM and CRT) in addition to LOCAL CA Chain Cert (CER,PEM,CRT). The root and issuer are the same server. Comparing text on both certs, both match on "issuer:" field on both. This is redhat Linux server. I am getting error "verify error:num=20:unable to get local issuer certificate" and "Verify return code: 21 (unable to verify the first certificate)"

I am not sure what to look for anymore., any feedback is appreciated.

Thanks

Jon

Troubleshooting steps

  • I did add the Issuer CA cert to linux certs using cerutil certutil -d /etc/pki/nssdb -A -t "C,," -n DomainA1-Server1CA -i /root/DomainA1-Server1CA.cer

-Ran certutil -d /etc/pki/nssdb -L and I can see the cert there

   Certificate Nickname   Trust Attributes 
                          SSL,S/MIME,JAR/XPI 
   DomainA1-Server1CA     C,,

  • Ran openssl s_client -connect ServerA2:443 -CAfile /root/certs/DomainA1-Server1CA.cer,tried with (.CRT and .PEM), Got 2 errors above. -Ran openssl s_client -connect ServerA2:443 -CApath /root/certs, tried with (.CRT and .PEM), Got 2 errors above.

  • Ran openssl s_client -connect ServerA2:443 . Got 2 errors above.

Issued Cert snippet

    Data:
    Version: 3 (0x2)
    Serial Number:
    54:a9:50:a3:00:01:00:00:14:47
    Signature Algorithm: sha1WithRSAEncryption
    Issuer: DC=com, DC=domainA1, CN=DomainA1-Server1CA
    Validity
    Not Before: April  5 16:45:48 2017 GMT
    Not After : April  5 16:45:48 2019 GMT
    Subject: C=US, ST=NY, L=CityA, O=CompanyNAME, OU=IT,
    CN=ServerB1.DomainA1.com

CA Chain Cert 

    Data: Version: 3 (0x2) 
    Serial Number: 19:11:eb:af:4c:d5:a9:94:49:ka:2f:41:f2:e1:09:g2 
    Signature Algorithm: sha256WithRSAEncryption 
    Issuer: DC=com, DC=domainA1, CN=DomainA1-Server1CA 
    Validity 
    Not Before: Aug 15 18:41:45 2015 GMT 
    Not After : Aug 15 18:41:45 2025 GMT Subject: DC=com, DC=domainA1,                 
    CN=DomainA1-Server1CA Subject Public Key Info: 
    Public Key Algorithm: rsaEncryption Public-Key: (2048 bit)

        ...C.A
    X509v3 Key Usage:
        Digital Signature, Certificate Sign, CRL Sign
    X509v3 Basic Constraints: critical
        CA:TRUE
    X509v3 Subject Key Identifier:
1
openssl

1 Answers

-2
votes

After enabling SSL certificate on Server.

You can test through bellow command.

$ openssl s_client -connect <server name>:443

Output: 

CONNECTED(00000003)
depth=0 OU = Domain Control Validated, CN = <server-name>
verify error:num=20:unable to get local issuer certificate
verify return:1
-----------
-----------
 Start Time: 1492427495

    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---

If you got Above Error (return code: 20.. or return code 21)

Add bellow line in /etc/apache2/site-available/default-ssl.conf file

SSLCertificateFile      /home/ubuntu/cert/e4720ca1b42c1ebb.crt
SSLCertificateKeyFile /home/ubuntu/cert/server.key

SSLCertificateChainFile /home/ubuntu/cert/gd_bundle-g2-g1.crt

Again run 

$ openssl s_client -connect <server name>:443

Example : $ openssl s_client -connect google.com:443

Output:

CONNECTED(00000003)
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
verify return:1
------------
------------
Start Time: 1492431152
Timeout   : 300 (sec)
Verify return code: 0 (ok)

If you still getting Error, You should regenerate SSL KEY and add-on server

Note: Apache Server Configuration.

Hope it will solve the problem :)