openssl: verify error:num=20:unable to get local issuer certificate
Oliver Schonrock
oliver at schonrocks.com
Sun Nov 29 17:23:36 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
just a little more info
On 29/11/15 16:41, Oliver Schonrock wrote:
> 2. there is something wrong with the openssl installation on that
> 10.1 machine.
I install openssl from ports to test:
pkg install openssl
/usr/local/bin/openssl s_client -connect api.textmarketer.co.uk:443
2>&1 | less
depth=2 C = US, O = "thawte, Inc.", OU = Certification Services
Division, OU = "(c) 2006 thawte, Inc. - For authorized use only", CN =
thawte Primary Root CA
verify return:1
works!...so does that mean my openssl in the base system is messed up?
(I also compared my /etc/ssl/openssl.cnf with the working 10.2
machine, and that's identical as well).
Is it this upgrade below??? Is there any way to validate openssl, or
reinstall it in base?
> I did upgrade this machine from 10.0 to 10.1 using freebsd-update
> on October 16th 2015 (too late I know, could that be the issue?). I
> also installed the recent updates for ntpd vulnerabilities etc. I
> did reboot after those.
>
> Suspiciously, that problematic 10.1 machine was validating that
> exact cert path fine before the upgrade from 10.0. I know this
> because userland applications, like curl, are being used regularly
> to connect to that very site and I have logs to prove that it was
> working ...and now doesn't. I have put a workaround in place to get
> curl to connect untrusted, but that's not good, clearly. It also
> worries me what else is not working, or not secure?
- --
Oliver Schönrock
Mobile : +44 7880 617 446
email : oliver at schonrocks.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJWWzSVAAoJEF6SumULDx4PV+QH/RSbuej4QgLblRLJzOiOHT+6
Nn+zysDiyOlFXv6ZwTYrFN8gK77pAQLfkpd03kw+i2CyRoj9UUnDMPRAi18QM1PS
9jGpKxxLDNP2hMjqtnmDSUJ3S1suezUKfqwKeGVKp1eKuQ/pr4IH9XYLn9o0mnAL
XbPojBCDdw89srbOWtf2OrvsqMvUs4V78QAcn8AuANQMrKlHCw+Nwims8mp6xGc4
qmW04c7M1CO7J27qm3WuWt6ggEPQLSq1G0Y16P4ChP6ScixwYVzZpAlgv/hkDjjk
75xQ7R1At+2vr0tM/3hybllnl9QMjD9gk1Gd607XvcXu3MxsUKcYBnXf+Wy0h4I=
=CVgE
-----END PGP SIGNATURE-----
More information about the freebsd-questions
mailing list