What I want to do:
Get a clean connection with openssl -connect to a remote site.
Site seems self signed.
What I'm getting: CONNECTED(00000003)
depth=0 CN = DC01.home.pri
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = DC01.home.pri
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = DC01.home.pri
verify error:num=21:unable to verify the first certificate
verify return:1
...
...
Verify return code: 21 (unable to verify the first certificate)
What I have tried:
echo -n | openssl s_client -connect DC01.home.pri:636 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ldapserver.pem
echo -n | openssl s_client -connect DC01.home.pri:636 -CAfile ldapserver.pem
sudo cp ldapserver.pem /etc/ssl/certs/ldapserver.pem
sudo c_rehash /etc/ssl/certs/
echo -n | openssl s_client -connect dc01.home.pri:636 -CApath /etc/ssl/certs/
I have also tried
openssl verify -CAfile /etc/ssl/certs/ldapserver.pem ldapserver.pem
openssl verify -CApath /etc/ssl/certs/ ldapserver.pem
with the results of
ldapserver.pem: CN = DC01.home.pri
error 20 at 0 depth lookup:unable to get local issuer certificate
I have changed the CN/Hostname to guard myself. But the hostname is also added to my hosts file, in case it helps.
Censored PEM file
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
64:c7:48:64:00:00:00:00:00:d0
Signature Algorithm: sha1WithRSAEncryption
Issuer: DC=pri, DC=home, CN=home-HOMECA-CA
Validity
Not Before: Mar 7 22:41:45 2015 GMT
Not After : Mar 6 22:41:45 2016 GMT
Subject: CN=DC01.home.pri
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
<CENSORED>
Exponent: 65537 (0x10001)
X509v3 extensions:
1.3.6.1.4.1.311.20.2:
. .D.o.m.a.i.n.C.o.n.t.r.o.l.l.e.r
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Key Usage:
Digital Signature, Key Encipherment
S/MIME Capabilities:
......0...`.H.e...*0...`.H.e...-0...`.H.e....0...`.H.e....0...+....0
..*.H..
X509v3 Subject Alternative Name:
othername:<unsupported>, DNS:DC01.home.pri
X509v3 Subject Key Identifier:
<CENSORED>
X509v3 Authority Key Identifier:
keyid:<CENSORED>
X509v3 CRL Distribution Points:
Full Name:
URI:ldap:///CN=home-HOMECA-CA,CN=HOMECA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=home,DC=pri?certificateRevocationList?base?objectClass=cRLDistributionPoint
URI:http://homeca.home.pri/CertEnroll/home-HOMECA-CA.crl
Authority Information Access:
CA Issuers - URI:ldap:///CN=home-CA-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=home,DC=pri?cACertificate?base?objectClass=certificationAuthority
Signature Algorithm: sha1WithRSAEncryption
<CENSORED>
The certificate you posted is not self-signed; the issuer (DC=pri, DC=home, CN=home-HOMECA-CA) differs from the subject (CN=DC01.home.pri).
When validating the certificate, OpenSSL is unable to find a local certificate for the issuer (or the issuer of the first certificate in the chain received from the web server during the TLS handshake) with which to verify the signature(s).
You need to give openssl verify the issuer certificate (or have it in your trust store):
openssl verify -CApath /etc/ssl/certs/<issuer-cert>.pem
来源:https://stackoverflow.com/questions/31619825/unable-to-openssl-verify-ssl-certificate