Why is my RapidSSL Certificate chain is not trusted on ubuntu?
Posted
by
olouv
on Server Fault
See other posts from Server Fault
or by olouv
Published on 2012-05-22T15:53:26Z
Indexed on
2012/07/05
3:17 UTC
Read the original article
Hit count: 530
I have a website that works perfectly with Chrome & other browser but i get some errors with PHP in CLI mode so i'm investigating it, running this:
openssl s_client -showcerts -verify 32 -connect dev.carlipa-online.com:443
Quite suprisingly my HTTPS appears untrusted with a Verify return code: 27 (certificate not trusted)
Here is the raw output :
verify depth is 32
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=27:certificate not trusted
verify return:1
depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA
verify return:1
depth=0 serialNumber = khKDXfnS0WtB8DgV0CAdsmWrXl-Ia9wZ, C = FR, O = *.carlipa-online.com, OU = GT44535187, OU = See www.rapidssl.com/resources/cps (c)12, OU = Domain Control Validated - RapidSSL(R), CN = *.carlipa-online.com
verify return:1
So GeoTrust Global CA
appears to be not trusted on the system (Ubuntu 11.10). Added Equifax_Secure_CA
to try to solve this... But i get in this case Verify return code: 19 (self signed certificate in certificate chain)
!
Raw output :
verify depth is 32
CONNECTED(00000003)
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA
verify return:1
depth=0 serialNumber = khKDXfnS0WtB8DgV0CAdsmWrXl-Ia9wZ, C = FR, O = *.carlipa-online.com, OU = GT44535187, OU = See www.rapidssl.com/resources/cps (c)12, OU = Domain Control Validated - RapidSSL(R), CN = *.carlipa-online.com
verify return:1
Edit
Looks like my server does not trust/provide the Equifax Root CA, however i do correctly have the file in /usr/share/ca-certificates/mozilla/Equifax...
© Server Fault or respective owner