openssl: verify error:num=20:unable to get local issuer certificate

Oliver Schonrock oliver at
Sun Nov 29 17:23:36 UTC 2015

Hash: SHA1

just a little more info

On 29/11/15 16:41, Oliver Schonrock wrote:
> 2. there is something wrong with the openssl installation on that
> 10.1 machine.

I install openssl from ports to test:
pkg install openssl

/usr/local/bin/openssl s_client -connect
2>&1 | less

depth=2 C = US, O = "thawte, Inc.", OU = Certification Services
Division, OU = "(c) 2006 thawte, Inc. - For authorized use only", CN =
thawte Primary Root CA
verify return:1

works! does that mean my openssl in the base system is messed up?

(I also compared my /etc/ssl/openssl.cnf with the working 10.2
machine, and that's identical as well).

Is it this upgrade below??? Is there any way to validate openssl, or
reinstall it in base?

> I did upgrade this machine from 10.0 to 10.1 using freebsd-update
> on October 16th 2015 (too late I know, could that be the issue?). I
> also installed the recent updates for ntpd vulnerabilities etc. I
> did reboot after those.
> Suspiciously, that problematic 10.1 machine was validating that
> exact cert path fine before the upgrade from 10.0. I know this
> because userland applications, like curl, are being used regularly
> to connect to that very site and I have logs to prove that it was
> working ...and now doesn't. I have put a workaround in place to get
> curl to connect untrusted, but that's not good, clearly. It also
> worries me what else is not working, or not secure?

- -- 
Oliver Schönrock
Mobile   : +44 7880 617 446
email    : oliver at
Version: GnuPG v1


More information about the freebsd-questions mailing list