bm perumalla
asked on
OpenSSL Error: Unable to get Local issuer certificate inspite of storing certificate chain in Linux
Hello Experts,
I am new to SSL setup and i am trying to establish https communication between my linux based agent application and target windows WebServer for hich i obtained a signed certificate by our internal CA Server. I copied the same certificate to my linux machine default location prescribed by our product documentation under /var/opt/<ourproductname>/
Since the server certificate is authorized (signed) by a Certificate Authority, the process may include checking whether that Certificate Authority
is trusted. The checking process continues until it reaches the root Certificate Authority (CA),on which the client device can recognize as trusted. This trust occurs when a CA certificate is 'known' to the client. Now as suggested in our product document,I concatenated the root ca .pem file and my windows webserver ca .pem file to a single .pem file as follows:
#!/bin/sh
rm cert.pem
for i in root_ca.pem webserver_ca.pem; do
openssl x509 -in $i -text >> cert.pem
done
It throws error as follows:
unable to load certificate
139779506755328:error:0906
Then, when i run my agent application to communicate with my windows webserver, it throws below error:
"Error 0xE1BBFC14: OpenSSL error 0xFC14: unable to get local issuer certificate"
I am struggling for last three days day and night to solve this.Please help.
Your help is much appreciated.
Many thanks,
Sriram
I am new to SSL setup and i am trying to establish https communication between my linux based agent application and target windows WebServer for hich i obtained a signed certificate by our internal CA Server. I copied the same certificate to my linux machine default location prescribed by our product documentation under /var/opt/<ourproductname>/
Since the server certificate is authorized (signed) by a Certificate Authority, the process may include checking whether that Certificate Authority
is trusted. The checking process continues until it reaches the root Certificate Authority (CA),on which the client device can recognize as trusted. This trust occurs when a CA certificate is 'known' to the client. Now as suggested in our product document,I concatenated the root ca .pem file and my windows webserver ca .pem file to a single .pem file as follows:
#!/bin/sh
rm cert.pem
for i in root_ca.pem webserver_ca.pem; do
openssl x509 -in $i -text >> cert.pem
done
It throws error as follows:
unable to load certificate
139779506755328:error:0906
Then, when i run my agent application to communicate with my windows webserver, it throws below error:
"Error 0xE1BBFC14: OpenSSL error 0xFC14: unable to get local issuer certificate"
I am struggling for last three days day and night to solve this.Please help.
Your help is much appreciated.
Many thanks,
Sriram
ASKER
Simple Arnold. I want to send a file to my webserver (which is hosted on windows and is https enabled) from my linux machine using https.
For that to happen, please give me the steps i need to perform on linux machine as well as on my windows server.
What type of certificate i need to create (Where is WebServer or Subordinate CA) and where do i need to create and import for communication to happen between my linux and windows https server.
I did the following:
Step1: I created a local certificate on linux (requested using .key file) and got it signed with my CA server which is windows 2012 again.
openssl genrsa 1024 > agent.key
openssl req -new -key ./agent.key > fnms_agent_demo.csr
Copied the contents of the .csr file onto my CA Server and download the base64 encoded .cer file (not the certificate chain .p7b file).
Step2: I renamed this .cer to .pem file and copied to my linux custom /etc/ssl/certs/ folder and tried to upload file to my windows https server. It throws the error:
Unable to load local issuer certificate.
Step3: When i verified this certificate on linux using:
openssl verify cert.pem ; it says:
error 20 at 0 depth lookup: unable to get local issuer certificate
error cert.pem: verification failed
This is the story. Please help!!
Thanks,
Sriram
For that to happen, please give me the steps i need to perform on linux machine as well as on my windows server.
What type of certificate i need to create (Where is WebServer or Subordinate CA) and where do i need to create and import for communication to happen between my linux and windows https server.
I did the following:
Step1: I created a local certificate on linux (requested using .key file) and got it signed with my CA server which is windows 2012 again.
openssl genrsa 1024 > agent.key
openssl req -new -key ./agent.key > fnms_agent_demo.csr
Copied the contents of the .csr file onto my CA Server and download the base64 encoded .cer file (not the certificate chain .p7b file).
Step2: I renamed this .cer to .pem file and copied to my linux custom /etc/ssl/certs/ folder and tried to upload file to my windows https server. It throws the error:
Unable to load local issuer certificate.
Step3: When i verified this certificate on linux using:
openssl verify cert.pem ; it says:
error 20 at 0 depth lookup: unable to get local issuer certificate
error cert.pem: verification failed
This is the story. Please help!!
Thanks,
Sriram
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I am unclear what it is you want to do.
In order for a certificate signed by your Internal CA to be validated by the openssl on your system, the Internal CA certificate and any other issuing CA certificates must be trusted which on linux is achieved by adding those public certificates/certificate chain into the
/etc/pki/ca-trust/source/c
/etc/pki has other ..... section....
This is a system wide listing that openssl loads.
Applications (often) have their own settings such that ......
If you do not have an upload mechanism on your windows server, why are you looking to perfom and https:// upload.
a windows share with your linux accessing it using the samba interface.
Look at cygwin, or SSH server options that can be setup on the windows side.
Or using FTP accessible only internally....
to decrypt data that used your certificate to encrypt your setup will use the agent.key is ....
In order for a certificate signed by your Internal CA to be validated by the openssl on your system, the Internal CA certificate and any other issuing CA certificates must be trusted which on linux is achieved by adding those public certificates/certificate chain into the
/etc/pki/ca-trust/source/c
/etc/pki has other ..... section....
This is a system wide listing that openssl loads.
Applications (often) have their own settings such that ......
If you do not have an upload mechanism on your windows server, why are you looking to perfom and https:// upload.
a windows share with your linux accessing it using the samba interface.
Look at cygwin, or SSH server options that can be setup on the windows side.
Or using FTP accessible only internally....
to decrypt data that used your certificate to encrypt your setup will use the agent.key is ....
ASKER
Thanks Arnold and the Experts-Exchange team for maintaining such a useful website.
Do you have a signed certificate with the .key file that was used to request it?
What are you trying to do?
Extracting the ca certificates will not