OpenSSL: unable to verify the first certificate for Experian URL

Question

I am trying to verify an SSL connection to Experian in Ubuntu 10.10 with OpenSSL client.

openssl s_client -CApath /etc/ssl/certs/ -connect dm1.experian.com:         


        

Answer 1

Adding additional information to emboss's answer.

To put it simply, there is an incorrect cert in your certificate chain.

For example, your certificate authority will have most likely given you 3 files.

• your_domain_name.crt
• DigiCertCA.crt # (Or whatever the name of your certificate authority is)
• TrustedRoot.crt

You most likely combined all of these files into one bundle.

-----BEGIN CERTIFICATE----- 
(Your Primary SSL certificate: your_domain_name.crt) 
-----END CERTIFICATE----- 
-----BEGIN CERTIFICATE----- 
(Your Intermediate certificate: DigiCertCA.crt) 
-----END CERTIFICATE----- 
-----BEGIN CERTIFICATE----- 
(Your Root certificate: TrustedRoot.crt) 
-----END CERTIFICATE-----

If you create the bundle, but use an old, or an incorrect version of your Intermediate Cert (DigiCertCA.crt in my example), you will get the exact symptoms you are describing.

• SSL connections appear to work from browser
• SSL connections fail from other clients
• Curl fails with error: "curl: (60) SSL certificate : unable to get local issuer certificate"
• openssl s_client -connect gives error "verify error:num=20:unable to get local issuer certificate"

Redownload all certs from your certificate authority and make a fresh bundle.