Verify return code: 27 (certificate not trusted)

sixberk · December 14, 2015, 7:38pm

I have problem on the server if I run openssl s_client -host moodle.scel-vske.cz -port 443 -verify 9
certificate not trusted

debug is here:
verify depth is 9
CONNECTED(00000003)
depth=1 C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X1
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X1
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = moodle.scel-vske.cz
verify return:1

Certificate chain
0 s:/CN=moodle.scel-vske.cz
i:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X1
1 s:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3

Server certificate
-----BEGIN CERTIFICATE-----
MIIFCjCCA/KgAwIBAgISAQih0AX0+Oj4WLEErj1whIT3MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMTAeFw0xNTEyMTExNDE0MDBaFw0x
NjAzMTAxNDE0MDBaMB4xHDAaBgNVBAMTE21vb2RsZS5zY2VsLXZza2UuY3owggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDOQ+r8atEgkWAgsxtDz9zAwUmQ
yw1Ix03DehnRfdMkGuTxCN+RlD33hmYA6yYgcmjb/efKb3VNhXSTAaq8SWTl+cEw
Kie6uCSCNLOUVln4xkwX3upXs2O3MgIueu2NBvzcL+aA1s9YYA2le8T6QH2rlTAL
wfd44DVTEh3S0tIVivo1LOEioohXyiEDBugAhMUCWl3biZ8zYeK8PbAjDJsA4qbK
yFG59nqewDvx3oAi3iuUrG4gHTrLUjlbU1WDr7Wesv55J28rhOZu7ini09cDjQ3A
MONusC0hjvhMzZO4xjyXmZ8kVj3Zm9Uyienx/PlPTO18D2G5JtwvKDozG7MTAgMB
AAGjggIUMIICEDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFFSxpBerm0E4Y5yEBIsz
49u1dBsaMB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMHAGCCsGAQUF
BwEBBGQwYjAvBggrBgEFBQcwAYYjaHR0cDovL29jc3AuaW50LXgxLmxldHNlbmNy
eXB0Lm9yZy8wLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14MS5sZXRzZW5j
cnlwdC5vcmcvMB4GA1UdEQQXMBWCE21vb2RsZS5zY2VsLXZza2UuY3owgf4GA1Ud
IASB9jCB8zAIBgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHWMCYGCCsGAQUFBwIB
FhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtU
aGlzIENlcnRpZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlp
bmcgUGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhlIENlcnRp
ZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xldHNlbmNyeXB0Lm9yZy9y
ZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAXR7Gykb7D/XXeRYQ7pyogH4V
u3voAiEHSdQ/4hr+q792lKpl5IGBWYCJfMXiW2GTJwBtZ9arHZI3z3jTQe+A5wYn
/iFaq4uRQPv96eDfgU/YizO5QVoNJWks7oQcU+6ho7Ge60DkvuQj+Pn4u7hic9L2
xO2GsRZGVhDMTa2dz5ThVKhd5g0+bFmS+4IokgT1auyfXGj31FCrysa1TZ8/rTUy
TOAb1deFvNS5lt9SyefYLdf6Bn6wqiiNeDm21geX+kDOYU2wMJI49+P6/TEv1Ohk
HnvVVYweAD5+g+MDh7IgC75mbyBnpRHDRRRS/LVBsNjATtmxY9XSU4CU/pT5kg==
-----END CERTIFICATE-----
subject=/CN=moodle.scel-vske.cz
issuer=/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X1

No client certificate CA names sent

SSL handshake has read 3184 bytes and written 424 bytes

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: E69B3AD0BC622B1976AF538283A5D1E1D5B6718E5514648352FC9708B7063174
Session-ID-ctx:
Master-Key: 52B489E9A477AFC5A9FB8688D6D129E8E235017EA16A7AE42AEBA857BC15A7885CC7AB3AB8A0BB0A51C6F4B1219381B7
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 57 b5 75 8d 1a 40 f6 ec-04 1c 43 ad 03 b1 f9 ec W.u…@…C…
0010 - f4 64 90 6d ff c2 75 e3-7b e2 1d f4 b6 20 35 53 .d.m…u.{… 5S
0020 - 73 9a fd b3 aa a3 88 85-8e 5b c6 29 1b 79 a1 ba s…[.).y…
0030 - 85 a1 93 d9 99 9e 19 35-ae e3 6e 50 55 39 29 ec …5…nPU9).
0040 - 67 e5 fd 7b 60 56 60 02-a4 c1 7f 49 12 6e c3 e0 g…{V…I.n…
0050 - b6 b0 09 ee a3 81 86 f8-12 ad 1b 6a 9d 0c 79 a4 …j…y.
0060 - 29 a9 1e f6 6b 89 d6 91-5e ec d6 8f 65 d8 1d 77 )…k…^…e…w
0070 - 13 14 d6 ad 8c 50 f3 32-de d8 10 fb 39 e5 c3 92 …P.2…9…
0080 - d9 cf 47 23 72 5d 98 f2-a1 9d 12 5d 72 34 82 44 …G#r]…]r4.D
0090 - dc 1e 3b da a5 41 0b c4-ea 6f 65 fd 6b 3c 5b a5 …;…A…oe.k<[.
00a0 - 5f 00 9c b3 ed ec 9b d5-a4 0d ec 1b 0c ea aa 14 _…
00b0 - 84 00 94 3a 1a 2d 8c ef-a4 ce 4c cd 06 74 d2 ca …:.-…L…t…

Start Time: 1450121513
Timeout   : 300 (sec)
Verify return code: 27 (certificate not trusted)

read:errno=0

If I run openssl s_client -host stag-vske.zcu.cz -port 443 -verify 9 -CApath /etc/ssl/certs/

everything is OK

Where is problem ?
Thx

jhass · December 14, 2015, 7:47pm

Looks just fine here, openssl s_client is sometimes a bit finicky on some systems, try setting -CAfile or -CApath explicitly. Or maybe it’s just to old? https://www.ssllabs.com/ssltest/analyze.html?d=moodle.scel-vske.cz suggests your available cipersuites are incompatible with 0.9.8.

Osiris · December 14, 2015, 10:27pm

Obvious not a cipher suit problem, as it can connect perfectly.

I shouldn’t worry if I were you. For some reason the OpenSSL also had troubles on my workstation if I didn’t manually specified the /etc/ssl/certs directory with -CApath… But somehow now it’s all fine again

So, most certainly no server problem, but perhaps Google can help you with your OpenSSL

Topic		Replies	Views
Verify return code: 21 (unable to verify the first certificate) Help	4	9151	September 24, 2020
Unable to get local issuer, even with intermediate certs Help	8	4067	June 22, 2021
Cannot verify domain with openssl Server	6	20156	May 20, 2018
Error after using certificate with SASL / SMTP server Server	9	4120	January 3, 2017
Verify error:num=20:unable to get local issuer certificate Help	49	8024	November 5, 2021

Verify return code: 27 (certificate not trusted)

Certificate chain 0 s:/CN=moodle.scel-vske.cz i:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X1 1 s:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X1 i:/O=Digital Signature Trust Co./CN=DST Root CA X3

No client certificate CA names sent

SSL handshake has read 3184 bytes and written 424 bytes

Related topics

Certificate chain
0 s:/CN=moodle.scel-vske.cz
i:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X1
1 s:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3