Skip to main content

Solve "verify error:num=20:unable to get local issuer certificate" in openssl

Using openssl s_client to test a ssl connection, we may get the following error:

verify error:num=20:unable to get local issuer certificate

For example:
openssl s_client -connect facebook.com:443

CONNECTED(00000003)
depth=2 /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
verify error:num=20:unable to get local issuer certificate
 ... ...
Server certificate
-----BEGIN CERTIFICATE-----
MIIGiDCCBXCgAwIBAgIQCoLvg+TMQDau82d6KfXrwDANBgkqhkiG9w0BAQUFADBp
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSgwJgYDVQQDEx9EaWdpQ2VydCBIaWdoIEFzc3VyYW5j
ZSBFViBDQS0xMB4XDTA4MTExODAwMDAwMFoXDTEwMTEyMjIzNTk1OVowgfYxGzAZ
BgNVBA8MElYxLjAsIENsYXVzZSA1LihiKTETMBEGCysGAQQBgjc8AgEDEwJVUzEZ
MBcGCysGAQQBgjc8AgECEwhEZWxhd2FyZTEQMA4GA1UEBRMHMzgzNTgxNTEbMBkG
A1UECRMSMTU2IFVuaXZlcnNpdHkgQXZlMQ4wDAYDVQQREwU5NDMwMTELMAkGA1UE
BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcTCVBhbG8gQWx0bzEX
MBUGA1UEChMORmFjZWJvb2ssIEluYy4xGTAXBgNVBAMTEHd3dy5mYWNlYm9vay5j
b20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMHffWNBvcTk+mUzE3jVYjeW
p2HzsZa/I466h6ftB/neLeuox7ytd6ZejQMDNuNN99Dxq2byty4zFr4mD11BFn//
twCe+g6ZFWxSGtcKxq375AciP9sEpLZppe3Wh7aIxYP16Maz/8AOH52jhXDtonYU
e3A+77BCCzjWggAj3WN1AgMBAAGjggMgMIIDHDAfBgNVHSMEGDAWgBRMWMsl8EFP
UvQoyIFDm6aooOaS5TAdBgNVHQ4EFgQUqldKM7bs1W6BE6Y2XvR7Q1jzj0QwKQYD
VR0RBCIwIIIQd3d3LmZhY2Vib29rLmNvbYIMZmFjZWJvb2suY29tMDQGCCsGAQUF
BwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMBEG
CWCGSAGG+EIBAQQEAwIGwDAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADBh
BgNVHR8EWjBYMCqgKKAmhiRodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vZXYyMDA4
YS5jcmwwKqAooCaGJGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9ldjIwMDhhLmNy
bDCCAcQGA1UdIASCAbswggG3MIIBswYJYIZIAYb9bAIBMIIBpDA6BggrBgEFBQcC
ARYuaHR0cDovL3d3dy5kaWdpY2VydC5jb20vc3NsLWNwcy1yZXBvc2l0b3J5Lmh0
bTCCAWQGCCsGAQUFBwICMIIBVh6CAVIAQQBuAHkAIAB1AHMAZQAgAG8AZgAgAHQA
aABpAHMAIABDAGUAcgB0AGkAZgBpAGMAYQB0AGUAIABjAG8AbgBzAHQAaQB0AHUA
dABlAHMAIABhAGMAYwBlAHAAdABhAG4AYwBlACAAbwBmACAAdABoAGUAIABEAGkA
ZwBpAEMAZQByAHQAIABFAFYAIABDAFAAUwAgAGEAbgBkACAAdABoAGUAIABSAGUA
bAB5AGkAbgBnACAAUABhAHIAdAB5ACAAQQBnAHIAZQBlAG0AZQBuAHQAIAB3AGgA
aQBjAGgAIABsAGkAbQBpAHQAIABsAGkAYQBiAGkAbABpAHQAeQAgAGEAbgBkACAA
YQByAGUAIABpAG4AYwBvAHIAcABvAHIAYQB0AGUAZAAgAGgAZQByAGUAaQBuACAA
YgB5ACAAcgBlAGYAZQByAGUAbgBjAGUALjAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADggEBANDr75RRF8J5m620L8cheHE64frw
BSCCzs+gkapciUFiqiOy1U7yFhhP8t/pinlUsqFSVh5/JDvNhaAseo3k9Cef/l3f
2uE0ZMXShOKcqg2Tj0+1Tmutf3bynLTi8EolgLEnx4ThPHaADRQPU/lUrCbLP+rP
SvOLyDYfItNqFSoTGtCPAhtlhoiLP3Da344IQc18EAqQ9Dkhh+hpbG7lvOiiS2aZ
e30IR8d4pMkbycLi7DgEEKYAuI578ccawwutGk7MytqzP70mOjHFyn6mWW4R8rmv
5ueRCBNc3bnW+NmQrlPxma4L3HLgG1VjC4T25VQw8kqTIOWeZkL9yGWIn6I=
-----END CERTIFICATE----- 
  ... ...
SSL-Session:
  ... ...
    Verify return code: 20 (unable to get local issuer certificate)
---
DONE



To solve the error, we may copy the content from "-----BEGIN CERTIFICATE-----" to "-----END CERTIFICATE-----", and save it to a CA.pem file. The following command shall not raise the error:

openssl s_client -CAfile CA.pem -connect facebook.com:443
Labels:

Comments

Post a Comment

Popular posts from this blog

A simple implementation of DTW(Dynamic Time Warping) in C#/python

DTW(Dynamic Time Warping) is a very useful tools for time series analysis. This is a very simple (but not very efficient) c# implementation of DTW, the source code is available at  https://gist.github.com/1966342  . Use the program as below: double[] x = {9,3,1,5,1,2,0,1,0,2,2,8,1,7,0,6,4,4,5}; double[] y = {1,0,5,5,0,1,0,1,0,3,3,2,8,1,0,6,4,4,5}; SimpleDTW dtw = new SimpleDTW(x,y); dtw.calculateDTW(); The python implementation is available at  https://gist.github.com/3265694  . from python-dtw import Dtw import math dtw = Dtw([1, 2, 3, 4, 6], [1, 2, 3, 5],           distance_func=lambda x, y: math.fabs(x - y)) print dtw.calculate() #calculate the distance print dtw.get_path() #calculate the mapping path
14 comments
Read more

Change the default user when start a docker container

When run(start) a docker container from an image, we can specify the default user by passing -u option in command line(In https://docs.docker.com/engine/reference/run/#user ). For example docker run -i -t -u ubuntu ubuntu:latest /bin/bash We can also use the USER instruction in DOCKERFILE to do the same thing(In https://docs.docker.com/engine/reference/builder/#user), note that the option in command line will override the one in the DOCKERFILE. And there is actually another way to start a container with neither DOCKERFILE nor -u option, just by a command like: docker run -i -t ubuntu:latest /bin/bash # with ubuntu as the default user This happens when your start the container from an image committed by a container with ubuntu as the default user. Or in detail: Run a container from some basic images, create ubuntu user inside it, commit the container to CUSTOM_IMAGE:1 . Run a container from CUSTOM_IMAGE:1 with "-u ubuntu" option, and commit the container to CUSTOM...
Post a Comment
Read more

Install mysql-python with mariadb

mysql-python requires libmysqlclient-dev in ubuntu, but the installation of mariadb will have the lib with unmet dependenccies, so the error of "mysql_config not found" may occurred if you install mysql-python via pip. The case is that mariadb has a compatible package, if you have the ppa setup as in  http://downloads.mariadb.org/ . Just "sudo apt-get install libmariadbclient-dev".
2 comments
Read more