I was missing "Add Trust External CA Root", https://support.comodo.com/index.php?_m=downloads&_a=viewdownload&downloaditemid=9&nav=0,1.
On Tue, Feb 12, 2013 at 3:16 AM, Jeffrey Walton <noloa...@gmail.com> wrote: > Hi All, > > I'm probably doing something wrong here, but I don't see what it is. > > I'm calling SSL_CTX_load_verify_locations() with a CAT of PEM files. > I'm not calling SSL_CTX_set_default_verify_paths(): > > /* http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html */ > /* I've also tried with a PATH of "./" */ > ret = SSL_CTX_load_verify_locations(ctx, "random-org-ca-chain.pem", NULL); > ssl_err = ERR_get_error(); > > ASSERT(1 == ret); > if(!(1 == ret)) > { > pkp_display_warning("SSL_CTX_load_verify_locations", (long)ssl_err); > break; /* failed */ > } > > Later, when the host's certificate is verified, I get a failure at > depth 2. At 2, the certificate is "AddTrust External CA Root" (a > Comodo certificate), and the error is 20 (unable to get local issuer > certificate). But the certificate is explicitly loaded in the PEM file > above. I uploaded the file at > http://www.megafileupload.com/en/file/392206/random-org-ca-chain-pem.html. > > I've used `openssl x509 -text -in "AddTrust External CA Root.pem"` > (copied out directly from s_client), and everything looks OK. CA is > TRUE, AKI is present, KU includes "Certificate Sign, CRL Sign", etc. > > I also have everything fully ASSERT'd, so I'm not silently failing > anywhere (that I am aware of). > > The chain can be examined on the target at https://www.random.org (or > using $ echo "GET / HTTP1.0" | openssl s_client -showcerts -connect > www.random.org:443). ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
