[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Openssl -showcerts "verify error"

List, good afternoon,
I'd appreciate some advice about how to fix an SSL error I'm hitting while accessing a government website required for online filing. Oddly, this error has just occurred, but we've been using the service without difficulty for a few years. 

The SSL failure is reported by the application as an
"SSL Certificate Verification Error"; no other information.
Using openssl -showcerts, a "verify error" is reported. Here's the dialogue - I've skipped the bulk of the certificate texts.
ron@debians5:~$ openssl s_client -showcerts -connect secure.gateway.gov.uk:443 </dev/null 
CONNECTED(00000003)
depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=GB/ST=London/L=London/O=Department for Work and Pensions/OU=Transformational Government/CN=secure.gateway.gov.uk i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 
-----BEGIN CERTIFICATE-----
MIIFTTCCBDWgAwIBAgIQVvXmnZpU7GpmDQbP2RA+DDANBgkqhkiG9w0BAQUFADCB
tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
[...]
T5A4onjwNgpfTwlfM0BaqhMjii2rrUrWdz++8gPO1SnJNFM5kKwzq8jjj6ezFfZQ
iV/THI2bNvQl6In1tHt8rO8=
-----END CERTIFICATE-----
1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 
-----BEGIN CERTIFICATE-----
MIIF7DCCBNSgAwIBAgIQbsx6pacDIAm4zrz06VLUkTANBgkqhkiG9w0BAQUFADCB
yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
[...]
W+yzf5VK+wPIrSbb5mZ4EkrZn0L74ZjmQoObj49nJOhhGbXdzbULJgWOw27EyHW4
Rs/iGAZeqa6ogZpHFt4MKGwlJ7net4RYxh84HqTEy2Y=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=GB/ST=London/L=London/O=Department for Work and Pensions/OU=Transformational Government/CN=secure.gateway.gov.uk issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 
---
No client certificate CA names sent
---
SSL handshake has read 3043 bytes and written 447 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 89[...]F6
    Session-ID-ctx:
    Master-Key: 5A[...]93
    Key-Arg   : None
    Start Time: 1462378147
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
DONE
ron@debians5:~$
I've updated the machine (using synaptic) with the latest ca_certificates, but the error remains (this is the current output, after certificate updates).
The system was working fine last month, but seems to fail today. I'm not familiar with the 'behind the scenes' workings of openssl and the certificate chains, and would appreciate any insight into what might be going wrong. 

regards, Ron
Reply to: