Openssl error 20 at 0 depth lookup:unable to get local issuer certificate

Question

Root certificate -> Intermediate CA -> Environment CA -> Host Cert

Openssl verify works with the CAfile (has the cert chain root+int+env) but not with CApath. I have to use ca-dir for syslog-ng and I keep getting this error.

openssl verify -CAfile etc/ssl/test/ca.pem host2.pem
host2.pem: OK

openssl verify -CApath /etc/ssl/test/ host2.pem
host2.pem: CN = host.domain.com
error 20 at 0 depth lookup:unable to get local issuer certificate

Openssl verify does work with CA path on a different host although host cert was generated with the same config and uses the same cert chain. Why does the CApath verify fail?

Answer 1

From the Openssl documentation: https://www.openssl.org/docs/manmaster/man1/verify.html

-CApath directory

A directory of trusted certificates. The certificates should have names of the form: hash.0 or have symbolic links to them of this form ("hash" is the hashed certificate subject name: see the -hash option of the x509 utility). Under Unix the c_rehash script will automatically create symbolic links to a directory of certificates.

So if I'm right, then the -CApath option should point a directory with the hashed list of certificates or have a symbolic link to them. You could get some kind of list via e.g. with the use of -hash option of the openssl x509 command.

I hope, it helps.