Link to home
Create AccountLog in
Avatar of bm perumalla
bm perumalla

asked on

OpenSSL Error: Unable to get Local issuer certificate inspite of storing certificate chain in Linux

Hello Experts,

I am new to SSL setup and i am trying to establish https communication between my linux based agent application and target windows WebServer for hich i obtained a signed certificate by our internal CA Server. I copied the same certificate to my linux machine default location prescribed by our product documentation under /var/opt/<ourproductname>/etc/ssl/certs/cert.pem.
Since the server certificate is authorized (signed) by a Certificate Authority, the process may include checking whether that Certificate Authority
is trusted. The checking process continues until it reaches the root Certificate Authority (CA),on which the client device can recognize as trusted. This trust occurs when a CA certificate is 'known' to the client. Now as suggested in our product document,I concatenated the root ca .pem file and my windows webserver ca .pem file to a single .pem file as follows:


#!/bin/sh
rm cert.pem
for i in root_ca.pem webserver_ca.pem; do
openssl x509 -in $i -text >> cert.pem
done
It throws error as follows:
unable to load certificate
139779506755328:error:0906D06C:PEM routines:PEM_read_bio:no start line:crypto/pem/pem_lib.c:691:Expecting: TRUSTED CERTIFICATE

Then, when i run my agent application to communicate with my windows webserver, it throws below error:
"Error 0xE1BBFC14: OpenSSL error 0xFC14: unable to get local issuer certificate"

I am struggling for last three days day and night to solve this.Please help.
Your help is much appreciated.
Many thanks,
Sriram
Avatar of arnold
arnold
Flag of United States of America image

Not sure what you are doing.
Do you have a signed certificate with the .key file that was used to request it?
What are you trying to do?
Extracting the ca certificates will not
Avatar of bm perumalla
bm perumalla

ASKER

Simple Arnold. I want  to send a file to my webserver  (which is hosted on windows and is https enabled) from my linux machine using https.
For that to happen, please give me the steps i need to perform on linux machine as well as on my windows server.
What type of certificate i need to create (Where is WebServer or Subordinate CA)  and where do i need to create and import for communication to happen between my linux and windows https server.

I did the following:  
Step1: I created a local certificate on linux (requested using .key file) and got it signed with my CA server which is windows 2012 again.
 openssl genrsa 1024 >  agent.key
 openssl req -new -key ./agent.key > fnms_agent_demo.csr

Copied the contents of the .csr file onto my CA Server and download the  base64 encoded .cer file (not the certificate chain .p7b file).

Step2: I  renamed this .cer  to .pem file and copied to my linux  custom  /etc/ssl/certs/  folder and tried to upload file to my  windows https server. It throws the error:
Unable to load local issuer certificate.

Step3: When i verified this certificate on linux using:
openssl verify cert.pem  ;  it says:
error 20 at 0 depth lookup: unable to get local issuer certificate
error cert.pem: verification failed

This is the story. Please help!!

Thanks,
Sriram
ASKER CERTIFIED SOLUTION
Avatar of arnold
arnold
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
I am unclear what it is you want to do.
In order for a certificate signed by your Internal CA to be validated by the openssl on your system, the Internal CA certificate and any other issuing CA certificates must be trusted which on linux is achieved by adding those public certificates/certificate chain into the
/etc/pki/ca-trust/source/ca-bundle.legacy.crt
/etc/pki has other ..... section....

This is a system wide listing that openssl loads.
Applications (often) have their own settings such that ......

If you do not have an upload mechanism on your windows server, why are you looking to perfom and https:// upload.
a windows share with your linux accessing it using the samba interface.
Look at cygwin, or SSH server options that can be setup on the windows side.
Or using FTP accessible only internally....


to decrypt data that used your certificate to encrypt your setup will use the  agent.key is ....
Thanks Arnold and the Experts-Exchange team for maintaining such a useful website.