Reputation: 1429
Openssl: error 20 at 0 depth lookup:unable to get local issuer certificate
I created 3 certificates using Python: rootca.crt, intermediateca.crt and server.crt. I used the rootca.crt to sign intermediateca.crt, which works as expected:
openssl verify -CAfile rootca.crt intermediateca.crt
intermediateca.crt: OK
Then I signed the server.crt with the intermediate ca, but verification fails:
openssl verify -CAfile rootca.crt -untrusted intermediateca.crt server.crt
server.crt: C = DE, ST = mein Bundesland, L = meine Stadt, O = meine Firma, CN = server.example.com, emailAddress = [email protected]
error 20 at 0 depth lookup:unable to get local issuer certificate
When I parse the certificates, the server.crt authority key identifier matches the intermediateca subject key identifier. Can anyone give me a hint what could be wrong? If I generate the same certificates with the openssl command line tool it works. The parsed content is identical, apart from the fact that the authority key identifier also contains a serial and a cn for the openssl generated certificate.
Upvotes: 2
Views: 7445
Answers (1)
Reputation: 21035
The intermediate CA cannot be used to verify the server certificate because its subject name does not match the issuer name specified in the server certificate.
Let's have openssl dump the subject and issuer names. The -xx_hash shows the hash that openssl uses to build up the certificate chain:
$ openssl x509 -subject -subject_hash -noout -in rootca.crt
subject=C = DE, ST = mein Bundesland, L = meine Stadt, O = meine Firma, OU = meine Abteilung, CN = serviceserver.example.com, emailAddress = [email protected]
347e2056
$ openssl x509 -issuer -issuer_hash -noout -in intermediateca.crt
issuer=C = DE, ST = mein Bundesland, L = meine Stadt, O = meine Firma, OU = meine Abteilung, CN = serviceserver.example.com, emailAddress = [email protected]
347e2056
Great, the intermediate's Issuer name matches the root's Subject name. That part of the chain works.
$ openssl x509 -subject -subject_hash -noout -in intermediateca.crt
subject=C = DE, ST = mein Bundesland, L = meine Stadt, O = meine Firma, CN = serviceserver.example.com, emailAddress = [email protected]
c4dff14c
$ openssl x509 -issuer -issuer_hash -noout -in server.crt
issuer=C = DE, ST = mein Bundesland, L = meine Stadt, O = meine Firma, OU = meine Abteilung, CN = serviceserver.example.com, emailAddress = [email protected]
347e2056
Oops: the hash is different, so openssl cannot connect the intermediate CA to the server certificate. The difference is that the intermediate's subject name contains a OU field whereas the server's issuer name does not. openssl was correct when it told you that it could not find an issuer.
I'm not sure how you got it in this state, my guess would be some misconfiguration of the subject or issuer name.
Upvotes: 5
Related Questions
- certificate verify failed: unable to get local issuer certificate
- Why do I receive 'unable to get local issuer certificate (_ssl.c:997)'
- openssl, python requests error: "certificate verify failed"
- Python certificate verify failed: unable to get local issuer certificate
- Root cause found in openSSL due to AKI DirName extension: Python [SSL: CERTIFICATE_VERIFY_FAILED] ...: unable to get local issuer certificate
- Openssl: error 20 at 0 depth lookup: unable to get local issuer certificate
- Python requests throwing "certificate verify failed: unable to get local issuer certificate" error
- Openssl error 20 at 0 depth lookup:unable to get local issuer certificate
- Python SSL Unknown CA Error
- How to solve SSL certificate error