Fix OpenSSL Error: Unable To Get Local Issuer Certificate

Pavol Kutaj
2 min readFeb 19, 2021

--

The aim of this little playbook🏁 is fixing

verify error:num=20:unable to get local issuer certificate

when running certificate chain verifications using OpenSSL with for example

▶ openssl s_client -connect google.com:443
CONNECTED(00000184)
depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1
verify error:num=20:unable to get local issuer certificate

If you don’t understand certificate chains, watch the explainer first. What’s behind the issue?

  • OpenSSL cannot validate the chain OpenSSL itself comes without a list of Trusted Root Certificate Authorities (unlike browsers!)
  • I.e., you need to install the CA/s as trusted
  • You can do it either one-by-one by downloading a particular cert (with the help of a browser)
  • Or (what I do), in bulk by downloading for example cacert.pem package from curl - Extract CA Certs from Mozilla
  • Within OpenSSL itself there are 2 relevant command parameters:
  1. CAfile → pointing to a single cert trusted as a Root CA
  2. CApath → pointing to a folder with certs used as trusted Root CA

1. steps for windows/PowerShell

  1. download cacert.pem provided by curl - Extract CA Certs from Mozilla
Invoke-WebRequest https://curl.se/ca/cacert.pem -OutFile c:\cacert.pem
  1. Run OpenAAL with the -CAfile flag containing the absolute path to the downloaded cacert.pem
▶ openssl s_client -connect google.com:443 -CAfile c:\cacert.pemCONNECTED(00000184)
depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.google.com
verify return:1

2. sources

--

--

Pavol Kutaj
Pavol Kutaj

Written by Pavol Kutaj

Today I Learnt | Infrastructure Support Engineer at snowplow.io with a passion for cloud infrastructure/terraform/python/docs. More at https://pavol.kutaj.com

Responses (1)