OpenSSL: Unable to Verify the First Certificate with OpenSSL

The concern is documenting the OpenSSL error

verify error:num=21:unable to verify the first certificate

encountered when validating a certificate chain with OpenSSL and is accompanying a similar Unable To Get Local Issuer Certificate with OpenSSL. If you don’t understand certificate chains, watch the explainer first.

This error means that the certificate chain is broken for OpenSSL — but does not have to be for browsers!

Why? Because browsers can download the missing intermediate certificate from Certificate Authority Server. OpenSSL does not do that. It requires that the whole certificate chain is provided by the server. Possibly also, the supplied intermediate certificate is incorrect.

• Of course browsers and most HTTP clients can download this certificate from the Certificate Authority server, but not all HTTP clients may be able to do so (as noted, OpenSSL does not by default)
• The issue is succinctly described in the introduction of an article Verify certificate chain with OpenSSL.
• To see this from another angle, you can also test any domain in SSL Server Test.
• Even though the browser shows the certificates to be OK — OpenSSL as well as monitoring systems can ring an alert with messages such as

x509: certificate signed by unknown authority

• to fix this, upload all intermediate certificates on the server as well and send them along with each request with the server certificate, i.e. you need to have server-side access to the certificate manager and ensure the chain is both complete and correct

Sources

• SSL certificate chain resolvercertificatechain.io
• SSL Server Test
• Verify certificate chain with OpenSSL