Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 29 Nov 2015 17:23:33 +0000
From:      Oliver Schonrock <>
Subject:   Re: openssl: verify error:num=20:unable to get local issuer certificate
Message-ID:  <>
In-Reply-To: <>
References:  <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Hash: SHA1

just a little more info

On 29/11/15 16:41, Oliver Schonrock wrote:
> 2. there is something wrong with the openssl installation on that
> 10.1 machine.

I install openssl from ports to test:
pkg install openssl

/usr/local/bin/openssl s_client -connect
2>&1 | less

depth=2 C = US, O = "thawte, Inc.", OU = Certification Services
Division, OU = "(c) 2006 thawte, Inc. - For authorized use only", CN =
thawte Primary Root CA
verify return:1

works! does that mean my openssl in the base system is messed up?

(I also compared my /etc/ssl/openssl.cnf with the working 10.2
machine, and that's identical as well).

Is it this upgrade below??? Is there any way to validate openssl, or
reinstall it in base?

> I did upgrade this machine from 10.0 to 10.1 using freebsd-update
> on October 16th 2015 (too late I know, could that be the issue?). I
> also installed the recent updates for ntpd vulnerabilities etc. I
> did reboot after those.
> Suspiciously, that problematic 10.1 machine was validating that
> exact cert path fine before the upgrade from 10.0. I know this
> because userland applications, like curl, are being used regularly
> to connect to that very site and I have logs to prove that it was
> working ...and now doesn't. I have put a workaround in place to get
> curl to connect untrusted, but that's not good, clearly. It also
> worries me what else is not working, or not secure?

- -- 
Oliver Schönrock
Mobile   : +44 7880 617 446
email    :
Version: GnuPG v1


Want to link to this message? Use this URL: <>