Saturday, August 07, 2010

Solve "verify error:num=20:unable to get local issuer certificate" in openssl

Using openssl s_client to test a ssl connection, we may get the following error:

verify error:num=20:unable to get local issuer certificate

For example:
openssl s_client -connect facebook.com:443

CONNECTED(00000003)
depth=2 /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
verify error:num=20:unable to get local issuer certificate

 ... ...
Server certificate
-----BEGIN CERTIFICATE-----
MIIGiDCCBXCgAwIBAgIQCoLvg+TMQDau82d6KfXrwDANBgkqhkiG9w0BAQUFADBp
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSgwJgYDVQQDEx9EaWdpQ2VydCBIaWdoIEFzc3VyYW5j
ZSBFViBDQS0xMB4XDTA4MTExODAwMDAwMFoXDTEwMTEyMjIzNTk1OVowgfYxGzAZ
BgNVBA8MElYxLjAsIENsYXVzZSA1LihiKTETMBEGCysGAQQBgjc8AgEDEwJVUzEZ
MBcGCysGAQQBgjc8AgECEwhEZWxhd2FyZTEQMA4GA1UEBRMHMzgzNTgxNTEbMBkG
A1UECRMSMTU2IFVuaXZlcnNpdHkgQXZlMQ4wDAYDVQQREwU5NDMwMTELMAkGA1UE
BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcTCVBhbG8gQWx0bzEX
MBUGA1UEChMORmFjZWJvb2ssIEluYy4xGTAXBgNVBAMTEHd3dy5mYWNlYm9vay5j
b20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMHffWNBvcTk+mUzE3jVYjeW
p2HzsZa/I466h6ftB/neLeuox7ytd6ZejQMDNuNN99Dxq2byty4zFr4mD11BFn//
twCe+g6ZFWxSGtcKxq375AciP9sEpLZppe3Wh7aIxYP16Maz/8AOH52jhXDtonYU
e3A+77BCCzjWggAj3WN1AgMBAAGjggMgMIIDHDAfBgNVHSMEGDAWgBRMWMsl8EFP
UvQoyIFDm6aooOaS5TAdBgNVHQ4EFgQUqldKM7bs1W6BE6Y2XvR7Q1jzj0QwKQYD
VR0RBCIwIIIQd3d3LmZhY2Vib29rLmNvbYIMZmFjZWJvb2suY29tMDQGCCsGAQUF
BwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMBEG
CWCGSAGG+EIBAQQEAwIGwDAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADBh
BgNVHR8EWjBYMCqgKKAmhiRodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vZXYyMDA4
YS5jcmwwKqAooCaGJGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9ldjIwMDhhLmNy
bDCCAcQGA1UdIASCAbswggG3MIIBswYJYIZIAYb9bAIBMIIBpDA6BggrBgEFBQcC
ARYuaHR0cDovL3d3dy5kaWdpY2VydC5jb20vc3NsLWNwcy1yZXBvc2l0b3J5Lmh0
bTCCAWQGCCsGAQUFBwICMIIBVh6CAVIAQQBuAHkAIAB1AHMAZQAgAG8AZgAgAHQA
aABpAHMAIABDAGUAcgB0AGkAZgBpAGMAYQB0AGUAIABjAG8AbgBzAHQAaQB0AHUA
dABlAHMAIABhAGMAYwBlAHAAdABhAG4AYwBlACAAbwBmACAAdABoAGUAIABEAGkA
ZwBpAEMAZQByAHQAIABFAFYAIABDAFAAUwAgAGEAbgBkACAAdABoAGUAIABSAGUA
bAB5AGkAbgBnACAAUABhAHIAdAB5ACAAQQBnAHIAZQBlAG0AZQBuAHQAIAB3AGgA
aQBjAGgAIABsAGkAbQBpAHQAIABsAGkAYQBiAGkAbABpAHQAeQAgAGEAbgBkACAA
YQByAGUAIABpAG4AYwBvAHIAcABvAHIAYQB0AGUAZAAgAGgAZQByAGUAaQBuACAA
YgB5ACAAcgBlAGYAZQByAGUAbgBjAGUALjAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADggEBANDr75RRF8J5m620L8cheHE64frw
BSCCzs+gkapciUFiqiOy1U7yFhhP8t/pinlUsqFSVh5/JDvNhaAseo3k9Cef/l3f
2uE0ZMXShOKcqg2Tj0+1Tmutf3bynLTi8EolgLEnx4ThPHaADRQPU/lUrCbLP+rP
SvOLyDYfItNqFSoTGtCPAhtlhoiLP3Da344IQc18EAqQ9Dkhh+hpbG7lvOiiS2aZ
e30IR8d4pMkbycLi7DgEEKYAuI578ccawwutGk7MytqzP70mOjHFyn6mWW4R8rmv
5ueRCBNc3bnW+NmQrlPxma4L3HLgG1VjC4T25VQw8kqTIOWeZkL9yGWIn6I=
-----END CERTIFICATE----- 

  ... ...
SSL-Session:
  ... ...

    Verify return code: 20 (unable to get local issuer certificate)
---
DONE




To solve the error, we may copy the content from "-----BEGIN CERTIFICATE-----" to "-----END CERTIFICATE-----", and save it to a CA.pem file. The following command shall not raise the error:

openssl s_client -CAfile CA.pem -connect facebook.com:443

No comments: