Sorry for top-posting but you apparently posted richtext and my new "improved" Outlook
can no longer impoverish text correctly nor reply inline to richtext. Bah. You don't need the full chain(s), only the root(s), since both servers send chain as they should. The difference is that the sumologic chain uses "GeoTrust Primary Certification Authority" which appears to be both self-signed and (cross)signed by Equifax probably for transition (although 2006 is a while back now) and the server actually sends the cross-signed one. Firefox (at least the current version 24 I can check) has the self-signed version "built-in" which it uses (and exports). OpenSSL on the contrary will not (yet) override a received cert with a truststore one, so it needs the Equifax root. Which is also in FF 24; under Authorities find Equifax Secure CA, export that and use that. If you really want to know how (as asked) not just what, if you have openssl commandline the easiest way is to run openssl s_client -connect host:port and look at the cert chaining (0 s: and i:, 1 s: and i:, and so on), and in this case compare to what FF displays. If you need the contents of the non-leaf certs (here you don't really) add -showcerts . Note the sumologic leaf cert has Subject CN sumologic.com, but SubjectAlternativeNames correctly specifying other names including collectors.sumologic.com. EV certs aren't allowed to use wildcard names. From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of James Crowley Sent: Monday, September 23, 2013 14:28 To: openssl-users@openssl.org Subject: *** Spam *** Debugging cause of "unable to get local issuer certificate" - one cert works, one doesn't Hi everyone, I'm hitting a "unable to get local issuer certificate" error on a specific SSL certificate, and I was wondering how I can best debug this? It's via NXLog which uses OpenSSL so a bit disconnected from the underlying library at the moment, and I'm not too familar with OpenSSL. I've exported the full SSL certificate chain for both logs-01.loggly.com and collectors.sumologic.com using Firefox, each into their own pem file. When establishing a connection, the first works fine, the second gives me: SSL certificate verification failed: unable to get local issuer certificate (err: 20) The only difference I can spot is the second is an EV certificate, and is for sumologic.com whereas the first is explicitly *.loggly.com. If I deliberately mis-match the certificates then I get "SSL certificate verification failed: self signed certificate in certificate chain (err: 19)" so it's definitely something specific to the SumoLogic certificate verification chain as far as I can tell? Any help would be much appreciated. J
