Cannot verify domain with openssl


I am having trouble verifying my domain with openssl, when i run:
openssl s_client -connect -CAfile /etc/ssl/certs/ca-certificates.crt
I get the following errors:

depth=0 CN =
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN =
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN =
verify error:num=21:unable to verify the first certificate
verify return:1

But when I visit the url in the browser, the browser is fine with the certificate, what is happening and why is openssl failing to verify?


You’ll have to refer to fullchain.pem in your webserver configuration, in stead of cert.pem.


I am using the fullchain.


Then you should reload your webserver, because it’s not showing:

Certificate chain
 0 s:/
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1

See also: (“Chain issues: Incomplete”)

Or you’re running a old version of Apache (pre 2.4.8) that requires SSLCertificateFile (cert.pem) ánd SSLCertificateChainFile (chain.pem).

By the way, you really should check your servers configuration… See all the orange warnings on SSLLabs…


Odd, It should have the full chain, because I never pointed it towards just cert.pem. I’m running a custom server so I’ll take a look at its documentation to see what it needs.


2 posts were split to a new topic: Dovecot: “unable to get local issuer certificate”