Cannot verify domain with openssl


#1

I am having trouble verifying my domain with openssl, when i run:
openssl s_client -connect www.griffen.io:443 -CAfile /etc/ssl/certs/ca-certificates.crt
I get the following errors:

depth=0 CN = www.griffen.io
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = www.griffen.io
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = www.griffen.io
verify error:num=21:unable to verify the first certificate
verify return:1

But when I visit the url in the browser, the browser is fine with the certificate, what is happening and why is openssl failing to verify?


#2

You’ll have to refer to fullchain.pem in your webserver configuration, in stead of cert.pem.


#3

I am using the fullchain.


#4

Then you should reload your webserver, because it’s not showing:

---
Certificate chain
 0 s:/CN=www.griffen.io
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1
---

See also: https://www.ssllabs.com/ssltest/analyze.html?d=griffen.io&hideResults=on&latest (“Chain issues: Incomplete”)

Or you’re running a old version of Apache (pre 2.4.8) that requires SSLCertificateFile (cert.pem) ánd SSLCertificateChainFile (chain.pem).

By the way, you really should check your servers configuration… See all the orange warnings on SSLLabs…


#5

Odd, It should have the full chain, because I never pointed it towards just cert.pem. I’m running a custom server so I’ll take a look at its documentation to see what it needs.


#6

2 posts were split to a new topic: Dovecot: “unable to get local issuer certificate”


#7