"unable to get local issuer certificate"

Help
5

Please see Verifying a certificate - #5 by jsha

Here is what I see on Port 4433; https://decoder.link/sslchecker/vpn.newpathmhs.com/4433

$ openssl s_client -showcerts -servername vpn.newpathmhs.com -connect vpn.newpathmhs.com:4433 < /dev/null
CONNECTED(00000003)
depth=0 CN = vpn.newpathmhs.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = vpn.newpathmhs.com
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN = vpn.newpathmhs.com
verify return:1
---
Certificate chain
 0 s:CN = vpn.newpathmhs.com
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: May 22 16:08:35 2024 GMT; NotAfter: Aug 20 16:08:34 2024 GMT
-----BEGIN CERTIFICATE-----
MIIE8jCCA9qgAwIBAgISBFI3y8lgfHkEtewqqhnKuTEkMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yNDA1MjIxNjA4MzVaFw0yNDA4MjAxNjA4MzRaMB0xGzAZBgNVBAMT
EnZwbi5uZXdwYXRobWhzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAMchTm4wLumuDH6SY1RxnIgZEpEB4gZPjrtfz6MZTrjk3iozgPSjq0JUerNh
QCL+DbKHh+vPabpEXE8iWlWD0QMBfpvBpHWUDm3pOx8NaL6TOg01wZ1abcbbOtl9
VQ+E4znJDgYxY8Wz7Jp0pglgyC100TVb/ku5czbTnhTvrA3qhbpUE9PjyhHfEXxA
d7ocUve0ryTq2sXq5NAyzVLFh7lfpHVkicg9kXKc1NRYdp5zYq+ECa2JOBboax8v
rF0VTpR7+9SZnAh1Jeu8pOpsNDHE/2+I3V9FSNMQTjAfn5kXKrS0nAgAjqxGn76V
LIG68vQp63j3qQWADwrMv8J4jSsCAwEAAaOCAhUwggIRMA4GA1UdDwEB/wQEAwIF
oDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAd
BgNVHQ4EFgQU9z37tFGW5Nqlhc9qbVSbL+2RnP4wHwYDVR0jBBgwFoAUFC6zF7dY
VsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRw
Oi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNy
Lm9yZy8wHQYDVR0RBBYwFIISdnBuLm5ld3BhdGhtaHMuY29tMBMGA1UdIAQMMAow
CAYGZ4EMAQIBMIIBBQYKKwYBBAHWeQIEAgSB9gSB8wDxAHYAPxdLT9ciR1iUHWUc
hL4NEu2QN38fhWrrwb8ohez4ZG4AAAGPoUav1QAABAMARzBFAiEAlmxWHkUE5EVH
bqvINWopwrJ50XJQxo8NN+UOJPEezqICIHTfDDjH+uIIFfnD9VGmU0nZcMXp/SzY
N+PnnLeq2L4sAHcA7s3QZNXbGs7FXLedtM0TojKHRny87N7DUUhZRnEftZsAAAGP
oUav0gAABAMASDBGAiEA1dHwcUuZj7VAi1t3ovc2qsL4jvUEP7UNNfH0xRc55j4C
IQDsvp9bbbPnUMook0EfOBBmbwqekqfwITAfb690H5qddTANBgkqhkiG9w0BAQsF
AAOCAQEArpmV4m0UDPeuX0c79G0NnjOg10pKgtWDQ2WlHdeeMQdVUc4e9GYDb9QX
xWV/Ke91ioeBIJ1ZFWPIB5Y5zG1JpQnNFeMdTWPxExKySlT9J1idI8nLk0W9W4up
6w0d34iMXDn84Fysphx9kvEDBybOT3+GnjgPiaIhXEItDQnG8wERXuY5jiAhmuJk
jAmL8SOKV1htsUkwevD867W0Eks6SN6B5TDlWGSxtimB4LFbE0sfZNvflu2MJDu3
xa21IHUyoXjhWzOShGR8WlXgWO/r5JNNcMpwD7DKTmQrpYMDgoePurSt8k5xEDCM
W8y9CsiiuoiBA+8Fh6vjvCebYpcKIg==
-----END CERTIFICATE-----
---
Server certificate
subject=CN = vpn.newpathmhs.com
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, secp384r1, 384 bits
---
SSL handshake has read 1988 bytes and written 785 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
---
DONE

Here is what I see on Port 4443; https://decoder.link/sslchecker/vpn.newpathmhs.com/4443

$ openssl s_client -showcerts -servername vpn.newpathmhs.com -connect vpn.newpathmhs.com:4443 < /dev/null
CONNECTED(00000003)
depth=0 CN = vpn.newpathmhs.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = vpn.newpathmhs.com
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN = vpn.newpathmhs.com
verify return:1
---
Certificate chain
 0 s:CN = vpn.newpathmhs.com
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: May 22 16:08:35 2024 GMT; NotAfter: Aug 20 16:08:34 2024 GMT
-----BEGIN CERTIFICATE-----
MIIE8jCCA9qgAwIBAgISBFI3y8lgfHkEtewqqhnKuTEkMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yNDA1MjIxNjA4MzVaFw0yNDA4MjAxNjA4MzRaMB0xGzAZBgNVBAMT
EnZwbi5uZXdwYXRobWhzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAMchTm4wLumuDH6SY1RxnIgZEpEB4gZPjrtfz6MZTrjk3iozgPSjq0JUerNh
QCL+DbKHh+vPabpEXE8iWlWD0QMBfpvBpHWUDm3pOx8NaL6TOg01wZ1abcbbOtl9
VQ+E4znJDgYxY8Wz7Jp0pglgyC100TVb/ku5czbTnhTvrA3qhbpUE9PjyhHfEXxA
d7ocUve0ryTq2sXq5NAyzVLFh7lfpHVkicg9kXKc1NRYdp5zYq+ECa2JOBboax8v
rF0VTpR7+9SZnAh1Jeu8pOpsNDHE/2+I3V9FSNMQTjAfn5kXKrS0nAgAjqxGn76V
LIG68vQp63j3qQWADwrMv8J4jSsCAwEAAaOCAhUwggIRMA4GA1UdDwEB/wQEAwIF
oDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAd
BgNVHQ4EFgQU9z37tFGW5Nqlhc9qbVSbL+2RnP4wHwYDVR0jBBgwFoAUFC6zF7dY
VsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRw
Oi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNy
Lm9yZy8wHQYDVR0RBBYwFIISdnBuLm5ld3BhdGhtaHMuY29tMBMGA1UdIAQMMAow
CAYGZ4EMAQIBMIIBBQYKKwYBBAHWeQIEAgSB9gSB8wDxAHYAPxdLT9ciR1iUHWUc
hL4NEu2QN38fhWrrwb8ohez4ZG4AAAGPoUav1QAABAMARzBFAiEAlmxWHkUE5EVH
bqvINWopwrJ50XJQxo8NN+UOJPEezqICIHTfDDjH+uIIFfnD9VGmU0nZcMXp/SzY
N+PnnLeq2L4sAHcA7s3QZNXbGs7FXLedtM0TojKHRny87N7DUUhZRnEftZsAAAGP
oUav0gAABAMASDBGAiEA1dHwcUuZj7VAi1t3ovc2qsL4jvUEP7UNNfH0xRc55j4C
IQDsvp9bbbPnUMook0EfOBBmbwqekqfwITAfb690H5qddTANBgkqhkiG9w0BAQsF
AAOCAQEArpmV4m0UDPeuX0c79G0NnjOg10pKgtWDQ2WlHdeeMQdVUc4e9GYDb9QX
xWV/Ke91ioeBIJ1ZFWPIB5Y5zG1JpQnNFeMdTWPxExKySlT9J1idI8nLk0W9W4up
6w0d34iMXDn84Fysphx9kvEDBybOT3+GnjgPiaIhXEItDQnG8wERXuY5jiAhmuJk
jAmL8SOKV1htsUkwevD867W0Eks6SN6B5TDlWGSxtimB4LFbE0sfZNvflu2MJDu3
xa21IHUyoXjhWzOShGR8WlXgWO/r5JNNcMpwD7DKTmQrpYMDgoePurSt8k5xEDCM
W8y9CsiiuoiBA+8Fh6vjvCebYpcKIg==
-----END CERTIFICATE-----
---
Server certificate
subject=CN = vpn.newpathmhs.com
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1952 bytes and written 753 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
---
DONE
2 Likes