From owner-freebsd-questions@freebsd.org Sun Nov 29 16:48:55 2015 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F40AEA3BE70 for ; Sun, 29 Nov 2015 16:48:54 +0000 (UTC) (envelope-from oliver@schonrocks.com) Received: from smtp.schonrocks.com (smtp.schonrocks.com [89.187.108.85]) by mx1.freebsd.org (Postfix) with ESMTP id 9C25C1A46 for ; Sun, 29 Nov 2015 16:48:54 +0000 (UTC) (envelope-from oliver@schonrocks.com) Received: from [192.168.40.60] (home.zaheer.org.uk [81.187.127.171]) by smtp.schonrocks.com (Postfix) with ESMTPA id B237DD7FC00 for ; Sun, 29 Nov 2015 16:42:00 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=schonrocks.com; s=default; t=1448815320; bh=obZnP5TBX7OngSmBBEFvpvTd1Qn+CVJ7VxPcq3sixVI=; h=To:From:Subject:Message-ID:Date:MIME-Version:Content-Type; b=CjUyPls2mJOhDWCb4lSpLVQMZ17iwQwu9ubjKXxSjSwnM4kxU9xjdqL61HgcLIimZ MMZc4YSUk74wkb9ejipdEJYwpgCwAKzxFnodbOlZIjNEwgYvv8ciNg6iOG/Mv0/3yy Zjpkelbz4dyuSG/nGA875/+0Ptp2My+dj1DD/Cqs= To: freebsd-questions@freebsd.org From: Oliver Schonrock Subject: openssl: verify error:num=20:unable to get local issuer certificate X-Enigmail-Draft-Status: N1110 Message-ID: <565B2ACD.4030509@schonrocks.com> Date: Sun, 29 Nov 2015 16:41:49 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="gvOeqlobuTT9LuMP6KUgiKiNPKeoJiFAh" X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Nov 2015 16:48:55 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --gvOeqlobuTT9LuMP6KUgiKiNPKeoJiFAh Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable I know this is a popular error, however, please bear with me, I am reasonably confident I have covered the obvious (famous last words!). This is how I produce this certificate chain validation error (the site is important): $ openssl s_client -connect api.textmarketer.co.uk:443 2>&1 | less depth=3D2 C =3D US, O =3D "thawte, Inc.", OU =3D Certification Services Division, OU =3D "(c) 2006 thawte, Inc. - For authorized use only", CN =3D= thawte Primary Root CA verify error:num=3D20:unable to get local issuer certificate This is on a fully updated FreeBSD 10.1 machine with OpenSSL 1.0.1l-freebsd 15 Jan 2015 using (i believe, see below) the crt bundle /usr/local/share/certs/ca-root-nss.crt from $ pkg info | grep nss ca_root_nss-3.20.1 So openssl does not recognise that Thawte root cert as locally trusted, but above file definitely contains that cert. I know this because: a) I have manually forced openssl to use that file (hopefully getting around all the path issues that most similar reported problems seem to boil down to). Like this $ openssl s_client -CAfile /usr/local/share/certs/ca-root-nss.crt -connect api.textmarketer.co.uk:443 same result b) I also compared the cert file with a one of my FreeBSD 10.2 machines (which is working fine), and it's the same apart from the version number in the first line. I also scp'd the crt bundle over to the working 10.2 machine and forced openssl to use it with -CAfile..that works fine So the bundle file is fine, openssl is using that file (-CAfile reports errors if I make an intentional mistake with filename). leaves just 2 things that I can think of: 1. something wrong with that site's cert or the cert chain it presents =2E.I thought this was it, because other sites work. eg: openssl s_client -CAfile /usr/local/share/certs/ca-root-nss.crt -connect google.com:443 2>&1 depth=3D3 C =3D US, O =3D Equifax, OU =3D Equifax Secure Certificate Auth= ority verify return:1 but remember: this site's cert path validates as trusted from the 10.2 machine with the same cert file. Also https://www.ssllabs.com/ssltest/ report no chain issue etc... 2. there is something wrong with the openssl installation on that 10.1 machine. I did upgrade this machine from 10.0 to 10.1 using freebsd-update on October 16th 2015 (too late I know, could that be the issue?). I also installed the recent updates for ntpd vulnerabilities etc. I did reboot after those. Suspiciously, that problematic 10.1 machine was validating that exact cert path fine before the upgrade from 10.0. I know this because userland applications, like curl, are being used regularly to connect to that very site and I have logs to prove that it was working ...and now doesn't. I have put a workaround in place to get curl to connect untrusted, but that's not good, clearly. It also worries me what else is not working, or not secure? So I am fast running out of ideas of how to narrow this down further. Help please?! Oh, that machine is in production, reboots etc are commercially possible, but to be avoided as much as I can. Many thanks in advance. Oliver --gvOeqlobuTT9LuMP6KUgiKiNPKeoJiFAh Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJWWyrNAAoJEF6SumULDx4PSuwIAMVwMEhHXmnD1jkPjWQVjaS8 jVQ2XzAuLQcoG55ZAVtHOt0iXlUgRCyO65x+ry86UjYMkdsYFzn0xmcBznVQIbZu mdEncaSVnO87C++QbCAe2BZSlBaneXPUoyfkOvNEH6GOVbe/3TUZqT+xcoMb/Fdu WMyXoaemPn/VhlPzXgjcDgqAUXyWoGi92t/qRgLMfN+FuYHRl/EMwWswyirpwLyh Ov2g3tNSzr8i7iKGDvCuB9g9BOD1UiJzUhoph515SkKdowlc6+H9MicYeL6SNuMw yKDDRNTUdwPt4Of+w0cIz1b4vKDaaAt+97oZ2fER5RajuDxpaQkaPUI8q81vQy8= =bV/m -----END PGP SIGNATURE----- --gvOeqlobuTT9LuMP6KUgiKiNPKeoJiFAh--