openssl: verify error:num=20:unable to get local issuer certificate
oliver at schonrocks.com
Sun Nov 29 17:23:36 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
just a little more info
On 29/11/15 16:41, Oliver Schonrock wrote:
> 2. there is something wrong with the openssl installation on that
> 10.1 machine.
I install openssl from ports to test:
pkg install openssl
/usr/local/bin/openssl s_client -connect api.textmarketer.co.uk:443
2>&1 | less
depth=2 C = US, O = "thawte, Inc.", OU = Certification Services
Division, OU = "(c) 2006 thawte, Inc. - For authorized use only", CN =
thawte Primary Root CA
works!...so does that mean my openssl in the base system is messed up?
(I also compared my /etc/ssl/openssl.cnf with the working 10.2
machine, and that's identical as well).
Is it this upgrade below??? Is there any way to validate openssl, or
reinstall it in base?
> I did upgrade this machine from 10.0 to 10.1 using freebsd-update
> on October 16th 2015 (too late I know, could that be the issue?). I
> also installed the recent updates for ntpd vulnerabilities etc. I
> did reboot after those.
> Suspiciously, that problematic 10.1 machine was validating that
> exact cert path fine before the upgrade from 10.0. I know this
> because userland applications, like curl, are being used regularly
> to connect to that very site and I have logs to prove that it was
> working ...and now doesn't. I have put a workaround in place to get
> curl to connect untrusted, but that's not good, clearly. It also
> worries me what else is not working, or not secure?
Mobile : +44 7880 617 446
email : oliver at schonrocks.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
-----END PGP SIGNATURE-----
More information about the freebsd-questions