[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Openssl -showcerts "verify error"



On Wed, May 4, 2016, at 12:25 PM, Ron Leach wrote:
> List, good afternoon,
> 
> I'd appreciate some advice about how to fix an SSL error I'm hitting 
> while accessing a government website required for online filing. 
> Oddly, this error has just occurred, but we've been using the service 
> without difficulty for a few years.
> 
> The SSL failure is reported by the application as an
> "SSL Certificate Verification Error"; no other information.
> 
> Using openssl -showcerts, a "verify error" is reported.  Here's the 
> dialogue - I've skipped the bulk of the certificate texts.
> 
> ron@debians5:~$ openssl s_client -showcerts -connect 
> secure.gateway.gov.uk:443 </dev/null
> CONNECTED(00000003)
> depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of 
> use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure 
> Server CA - G3
> verify error:num=20:unable to get local issuer certificate
> verify return:0
> ---
> Certificate chain
>   0 s:/C=GB/ST=London/L=London/O=Department for Work and 
> Pensions/OU=Transformational Government/CN=secure.gateway.gov.uk
>     i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use 
> at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure 
> Server CA - G3
> -----BEGIN CERTIFICATE-----
> MIIFTTCCBDWgAwIBAgIQVvXmnZpU7GpmDQbP2RA+DDANBgkqhkiG9w0BAQUFADCB
> tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
> [...]
> T5A4onjwNgpfTwlfM0BaqhMjii2rrUrWdz++8gPO1SnJNFM5kKwzq8jjj6ezFfZQ
> iV/THI2bNvQl6In1tHt8rO8=
> -----END CERTIFICATE-----
>   1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use 
> at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure 
> Server CA - G3
>     i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 
> VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public 
> Primary Certification Authority - G5
> -----BEGIN CERTIFICATE-----
> MIIF7DCCBNSgAwIBAgIQbsx6pacDIAm4zrz06VLUkTANBgkqhkiG9w0BAQUFADCB
> yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
> [...]
> W+yzf5VK+wPIrSbb5mZ4EkrZn0L74ZjmQoObj49nJOhhGbXdzbULJgWOw27EyHW4
> Rs/iGAZeqa6ogZpHFt4MKGwlJ7net4RYxh84HqTEy2Y=
> -----END CERTIFICATE-----
> ---
> Server certificate
> subject=/C=GB/ST=London/L=London/O=Department for Work and 
> Pensions/OU=Transformational Government/CN=secure.gateway.gov.uk
> issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of 
> use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure 
> Server CA - G3
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 3043 bytes and written 447 bytes
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>      Protocol  : TLSv1
>      Cipher    : AES256-SHA
>      Session-ID: 89[...]F6
>      Session-ID-ctx:
>      Master-Key: 5A[...]93
>      Key-Arg   : None
>      Start Time: 1462378147
>      Timeout   : 300 (sec)
>      Verify return code: 20 (unable to get local issuer certificate)
> ---
> DONE
> ron@debians5:~$
> 
> 
> I've updated the machine (using synaptic) with the latest 
> ca_certificates, but the error remains (this is the current output, 
> after certificate updates).
> 
> The system was working fine last month, but seems to fail today.  I'm 
> not familiar with the 'behind the scenes' workings of openssl and the 
> certificate chains, and would appreciate any insight into what might 
> be going wrong.
> 
> regards, Ron
> 

Hi,

Have you tried a different browser? I get the following error in Chrome
when attempting to log in:

==
Sorry, you cannot register with, or log in to the Government Gateway
using this certificate provider and web browser combination. These
certificates are not currently supported on the Macintosh operating
system and Netscape 6.x version browsers on all platforms.

Other certificate providers may be added to the Government Gateway
later. Please check this site regularly to find out which certificates
can be used for online services.
==

The site works fine in IE 11. Looks like it is coded in MS ASP.NET,
which makes sense. No access to a Debian box right now, unfortunately.

--
Will


Reply to: