i created a PEM certificate from a PFX certificate and wanted to verify it.
However i ran into this issue, try to find some answers, but i didnt and therefore i dont know how to fix it.
could you please advice?
thank you very much.
C:OpenSSL-Win32bin>set OPENSSL_CONF=C:OpenSSL-Win32binopenssl.cfg
C:OpenSSL-Win32bin>openssl
OpenSSL> verify C:mycert.pem
C:mycert.pem: C = CZ, ST = Sprava zakladnich registru, L = "Obec=Praha,Ulice=Na Vapence,PSC=13000", O = 72054506, OU = 4333, CN = tstcawilly.szr.local
error 20 at 0 depth lookup:unable to get local issuer certificate
error in verify
OpenSSL>
OpenSSL> verify -CAfile C:mycert.pem C:mycert.pem
C:mycert.pem: C = CZ, ST = Sprava zakladnich registru, L = "Obec=Praha,Ulice=Na Vapence,PSC=13000", O = 72054506, OU = 4333, CN = tstcawilly.szr.local
error 20 at 0 depth lookup:unable to get local issuer certificate
error in verify
OpenSSL>
jww
95k88 gold badges397 silver badges861 bronze badges
asked Apr 26, 2013 at 11:38
1
OpenSSL> verify -CAfile C:mycert.pem C:mycert.pem
Close. You need to add the CA’s root certificate with -CAfile; and not your end entity certificate. Something like:
openssl verify -CAfile C:ca-cert.pem C:mycert.pem
Also, if there is an intermediate certificate, then it needs to be added to mycert.pem. So mycert.pem will actually have two (or more) certificates (rather than one).
Adding all required certificates to mycert.pem in an effort to build a valid chain solves the «which directory» problem. Its a well known problem in PKI. Essentially, a client (like me) does not know where to go to get missing intermediate certificates.
answered Apr 21, 2014 at 4:26
jwwjww
95k88 gold badges397 silver badges861 bronze badges
4
Another case is pathlen can only be set when CA:TRUE in basicConstraints.
Example:
basicConstraints=CA:TRUE,pathlen:10 # Okay
basicConstraints=CA:FALSE,pathlen:10 # Invalid!
answered May 26, 2020 at 13:50
LingSamuelLingSamuel
4565 silver badges10 bronze badges
2
I also had problems using the openssl verify command properly. So I also got the error:
«error 20 at 0 depth lookup:unable to get local issuer certificate»
Here is a short explanation how to use the openssl verify command correctly if you have a certificate chain with multiple intermediate certificates (more than 2 certificates).
Lets imagine we have following certificate chain:
my_root_ca.crt > my_intermediate_ca1.crt > my_intermediate_ca2.crt > leaf_cert.crt
openssl verify -CAfile my_root_ca.crt -untrusted all_my_intermediate_ca.crt leaf_cert.crt
my_root_ca.crt: This is the root certificate (self-signed)
all_my_intermediate_ca.crt: This file must include both intermediate certificates (my_intermediate_ca1.crt & my_intermediate_ca2.crt)
leaf_cert.crt: This is the actual certificate that gets verified.
So this would also work if you have more than two intermediate certificates. But you must include them all in one file.
answered Sep 9, 2021 at 10:08
BibaBiba
1,5851 gold badge12 silver badges17 bronze badges
I discovered two potential issues you might face.
Potential issue 1.
The intermediate certificates might give you an issue.
When verifying our new QSeal certificate (in PEM format) against multiple intermediate certificates, I used option -untrusted for each intermediate certificate.
Here follows an example on MacOS / Linux.
openssl verify -verbose -CAfile ./quovadis_root_ca1g3.pem -untrusted ./quovadis_quovadisenterprisetrustca1g3.pem -untrusted ./quovadis_quovadiseuissuingcertificationauthorityg4.pem ./qseal_new.crt
Output is now
./qseal_new.crt: OK
Potential issue 2.
I get keeping this issue when using LibreSSL, even when fixing the intermediate certificate issue. Switching to OpenSSL solved it. I am aware that you use Windows, but others might encounter this issue when using an OpenSSL alternative.
answered Sep 9, 2021 at 10:33
AschwinAschwin
1642 silver badges7 bronze badges
-
Ace Suares
- Advanced member
- Posts: 62
- Joined: Thu Aug 07, 2014 7:26 pm
[SOLVED] thawte ssl wildcard gives error: error 2 at 1 depth lookup:unable to get issuer certificate or error 20 at 0 depth lookup:unable to get local issuer certificate
I am getting this error on zimbra (and also wirh openssl verifiy -CAfile… ) but, on an Apache webserver, just placing the key, crt and intermediate .pem file in the right locations. Why doesn’t openssl/ zmcertmgt want to accept this certificate?
Once again, just copying the files to an apache webserver in the richt place, works like a charm. It’s openssl verify (that is used in zmcertmgr) that gives the error.
Any solutions?
-
jorgedlcruz
- Zimbra Alumni
- Posts: 2782
- Joined: Thu May 22, 2014 4:47 pm
[SOLVED] thawte ssl wildcard gives error: error 2 at 1 depth lookup:unable to get issuer certificate or error 20 at 0 depth lookup:unable to get local issuer certificate
Postby jorgedlcruz » Tue Feb 17, 2015 3:08 pm
Hi Ace Suares,
This problem is common, you need to ask to your provider for the:
- Root CA
- Intermediate CA
A new ones, if your SSL has more than 3 months, probably the root and the Intermediate CA changed, contact with your SSL provider and ask them for a new ones, mix both in a file called commercial_ca.crt and try again, really, this problem is always the same.
Best regards
-
cayaraa
- Outstanding Member
- Posts: 336
- Joined: Sat Sep 13, 2014 12:33 am
- ZCS/ZD Version: ZCS 8 NE & ZCS 8 FOSS
[SOLVED] thawte ssl wildcard gives error: error 2 at 1 depth lookup:unable to get issuer certificate or error 20 at 0 depth lookup:unable to get local issuer certificate
Postby cayaraa » Tue Feb 17, 2015 3:10 pm
That tends to be the error if you don’t have a complete chain in your cert. If it helps these are the steps I use to deploy our wildcard cert (comodo this time):
cat ComodoRSAca_ROOT.crt ComodoRSAca_inter1.crt ComodoRSAOrgValidationca_inter2.crt > ca_bundle.crt
sudo cp ca_bundle.crt /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
sudo /opt/zimbra/bin/zmcertmgr verifycrt comm ./star.domain.com.key ./star.domain.com.crt
sudo cp star.domain.com /opt/zimbra/ssl/zimbra/commercial/commercial.key
sudo /opt/zimbra/bin/zmcertmgr deploycrt comm star.domain.com.crt ca_bundle.crt
sudo /opt/zimbra/bin/zmcertmgr viewdeployedcrt
-Aaron
-
Ace Suares
- Advanced member
- Posts: 62
- Joined: Thu Aug 07, 2014 7:26 pm
[SOLVED] thawte ssl wildcard gives error: error 2 at 1 depth lookup:unable to get issuer certificate or error 20 at 0 depth lookup:unable to get local issuer certificate
Postby Ace Suares » Tue Feb 17, 2015 3:49 pm
Thanks for the answer. The intermediate CA I am using is https://search.thawte.com/library/VERISIGN/ALL_OTHER/thawte%20ca/SSL_CA_Bundle.pem, and Thawte also says to download these two: https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=AR1373&actp=LIST&viewlocale=en_US
So, the last two are the Root CA’s if I understand correctly, and the first is the intermediate CA… ?
And then what to do with it? Combine them all i one file? I have no clue.
The certifcate (key + crt + SSL_CA_Bundle.pem) works fine on Apache but not on Zimbra. Where do I put the Root CA’s?
-
Ace Suares
- Advanced member
- Posts: 62
- Joined: Thu Aug 07, 2014 7:26 pm
[SOLVED] thawte ssl wildcard gives error: error 2 at 1 depth lookup:unable to get issuer certificate or error 20 at 0 depth lookup:unable to get local issuer certificate
Postby Ace Suares » Tue Feb 17, 2015 4:10 pm
FINALLY! Thawte sent me tow new CA’s (the ‘root’ and the ‘secondaryca_g2’ and I combined them in a file (first the secondary then the root) and the resulting intermediate works.
——BEGIN CERTIFICATE——
MIIEsjCCA5qgAwIBAgIQFofWiG3iMAaFIz2/Eb9llzANBgkqhkiG9w0BAQsFADCB
qTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf
{snip}
A3nIuUxnYQSgiyf/WQDrVX/GtzM1LV5OrLjqEsXo97mrvnSSLLfZTcqELxzC8HJ8
sjFuz4DliAc2UXu6Ya9tjSNbNKOVvKIxf/L157fo78S1JzLp955pxyvovrsMqufq
YBLqJop4
——END CERTIFICATE——
——BEGIN CERTIFICATE——
MIIEIDCCAwigAwIBAgIQNE7VVyDV7exJ9C/ON9srbTANBgkqhkiG9w0BAQUFADCB
qTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf
{snip}
LHbTY5xZ3Y+m4Q6gLkH3LpVHz7z9M/P2C2F+fpErgUfCJzDupxBdN49cOSvkBPB7
jVaMaA==
——END CERTIFICATE——
-
cayaraa
- Outstanding Member
- Posts: 336
- Joined: Sat Sep 13, 2014 12:33 am
- ZCS/ZD Version: ZCS 8 NE & ZCS 8 FOSS
[SOLVED] thawte ssl wildcard gives error: error 2 at 1 depth lookup:unable to get issuer certificate or error 20 at 0 depth lookup:unable to get local issuer certificate
Postby cayaraa » Thu Feb 19, 2015 12:26 pm
A lot of CA vendors have two intermediate certs (and root) right now because there are different certs chains for sha1 and sha2 (256).
-
cichy_misiek
- Posts: 6
- Joined: Mon Mar 02, 2015 11:47 am
[SOLVED] thawte ssl wildcard gives error: error 2 at 1 depth lookup:unable to get issuer certificate or error 20 at 0 depth lookup:unable to get local issuer certificate
Postby cichy_misiek » Mon Mar 02, 2015 11:53 am
Hello. I have a problem
In our company we have zimbra zcs 8.5.0 server.
A few months ago I installed commercial certificate. Now certificate expired and we buy the new, but I have the error: error 2 at 3 depth lookup:unable to get issuer certificate.
Amazing is that when I was verify this command cert is: openssl verify -CAfile ca_bundle.crt usdk.crt
usdk.crt: OK
when I use: /opt/zimbra/openssl/bin/openssl verify -CAfile ca_bundle.crt usdk.crt
error 2 at 3 depth lookup:unable to get issuer certificate
Where is problem? In zimbra openssl or in certs.
Return to “Administrators”
Who is online
Users browsing this forum: Google [Bot] and 63 guests
i created a PEM certificate from a PFX certificate and wanted to verify it.
However i ran into this issue, try to find some answers, but i didnt and therefore i dont know how to fix it.
could you please advice?
thank you very much.
C:OpenSSL-Win32bin>set OPENSSL_CONF=C:OpenSSL-Win32binopenssl.cfg
C:OpenSSL-Win32bin>openssl
OpenSSL> verify C:mycert.pem
C:mycert.pem: C = CZ, ST = Sprava zakladnich registru, L = "Obec=Praha,Ulice=Na Vapence,PSC=13000", O = 72054506, OU = 4333, CN = tstcawilly.szr.local
error 20 at 0 depth lookup:unable to get local issuer certificate
error in verify
OpenSSL>
OpenSSL> verify -CAfile C:mycert.pem C:mycert.pem
C:mycert.pem: C = CZ, ST = Sprava zakladnich registru, L = "Obec=Praha,Ulice=Na Vapence,PSC=13000", O = 72054506, OU = 4333, CN = tstcawilly.szr.local
error 20 at 0 depth lookup:unable to get local issuer certificate
error in verify
OpenSSL>
jww
95k88 gold badges397 silver badges861 bronze badges
asked Apr 26, 2013 at 11:38
1
OpenSSL> verify -CAfile C:mycert.pem C:mycert.pem
Close. You need to add the CA’s root certificate with -CAfile; and not your end entity certificate. Something like:
openssl verify -CAfile C:ca-cert.pem C:mycert.pem
Also, if there is an intermediate certificate, then it needs to be added to mycert.pem. So mycert.pem will actually have two (or more) certificates (rather than one).
Adding all required certificates to mycert.pem in an effort to build a valid chain solves the «which directory» problem. Its a well known problem in PKI. Essentially, a client (like me) does not know where to go to get missing intermediate certificates.
answered Apr 21, 2014 at 4:26
jwwjww
95k88 gold badges397 silver badges861 bronze badges
4
Another case is pathlen can only be set when CA:TRUE in basicConstraints.
Example:
basicConstraints=CA:TRUE,pathlen:10 # Okay
basicConstraints=CA:FALSE,pathlen:10 # Invalid!
answered May 26, 2020 at 13:50
LingSamuelLingSamuel
4565 silver badges10 bronze badges
2
I also had problems using the openssl verify command properly. So I also got the error:
«error 20 at 0 depth lookup:unable to get local issuer certificate»
Here is a short explanation how to use the openssl verify command correctly if you have a certificate chain with multiple intermediate certificates (more than 2 certificates).
Lets imagine we have following certificate chain:
my_root_ca.crt > my_intermediate_ca1.crt > my_intermediate_ca2.crt > leaf_cert.crt
openssl verify -CAfile my_root_ca.crt -untrusted all_my_intermediate_ca.crt leaf_cert.crt
my_root_ca.crt: This is the root certificate (self-signed)
all_my_intermediate_ca.crt: This file must include both intermediate certificates (my_intermediate_ca1.crt & my_intermediate_ca2.crt)
leaf_cert.crt: This is the actual certificate that gets verified.
So this would also work if you have more than two intermediate certificates. But you must include them all in one file.
answered Sep 9, 2021 at 10:08
BibaBiba
1,5851 gold badge12 silver badges17 bronze badges
I discovered two potential issues you might face.
Potential issue 1.
The intermediate certificates might give you an issue.
When verifying our new QSeal certificate (in PEM format) against multiple intermediate certificates, I used option -untrusted for each intermediate certificate.
Here follows an example on MacOS / Linux.
openssl verify -verbose -CAfile ./quovadis_root_ca1g3.pem -untrusted ./quovadis_quovadisenterprisetrustca1g3.pem -untrusted ./quovadis_quovadiseuissuingcertificationauthorityg4.pem ./qseal_new.crt
Output is now
./qseal_new.crt: OK
Potential issue 2.
I get keeping this issue when using LibreSSL, even when fixing the intermediate certificate issue. Switching to OpenSSL solved it. I am aware that you use Windows, but others might encounter this issue when using an OpenSSL alternative.
answered Sep 9, 2021 at 10:33
AschwinAschwin
1642 silver badges7 bronze badges
“Unable to get Local Issuer Certificate” is a common SSL certificate error. It is related to the incomplete certificate chain such as (most commonly) missing the intermediate certificate. The fix is to ensure the entire certificate chain is present.
We will dive into this issue to see why this happens and how to fix it.
Understanding certificate chain
A certificate chain is an ordered list of certificates, containing an SSL/TLS server certificate, intermediate certificate, and Certificate Authority (CA) Certificates, that enable the receiver to verify that the sender and all CA’s are trustworthy.
- Root Certificate. A root certificate is a digital certificate that belongs to the issuing Certificate Authority. It comes pre-downloaded in most browsers and is stored in what is called a “trust store.” The root certificates are closely guarded by CAs.
- Intermediate Certificate. Intermediate certificates branch off root certificates like branches of trees. They act as middle-men between the protected root certificates and the server certificates issued out to the public. There will always be at least one intermediate certificate in a chain, but there can be more than one.
- Server Certificate. The server certificate is the one issued to the specific domain the user is needing coverage for.
We will use these files in this example.
- CA certificate file (usually called ca.pem or cacerts.pem)
- Intermediate certificate file (if exists, can be more than one. If you don’t know if you need an intermediate certificate, run through the steps and find out)
- Server certificate file
How to get a free SSL certificate?
If you need a free SSL certificate for your website, Elementor Cloud Website is a great option. They offer fast speeds, good uptime, and excellent customer support. It is an end-to-end solution gives you everything you need in one place for your website. Web Hosting on Google Cloud + SSL certificate + WordPress + Website Builder + Templates.
We recommend using Elementor Cloud Website to build a website. It is very easy to start. You can get your website online in minutes. The price is $99 for one year. Plus, they offer a 30-day money-back guarantee, so you can try it out with no risk.
How do Certificate Chains work?
When we install our TLS certificate, we also be sent an intermediate root certificate or bundle.
When a browser downloads our website’s TLS certificate upon arriving at our homepage, it begins chaining that certificate back to its root. It will begin by following the chain to the intermediate that has been installed, from there it continues tracing backwards until it arrives at a trusted root certificate.
If the certificate is valid and can be chained back to a trusted root, it will be trusted. If it can’t be chained back to a trusted root, the browser will issue a warning about the certificate.
View Certificate Chain
Use the openssl utility that can display a certificate chain. The following command will display the certificate chain for google.com.
openssl s_client -connect google.com:443 -servername google.com
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
i:/C=US/O=Google Inc/CN=Google Internet Authority G2
1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
In the openssl output, the numbered lines start with the server certificate (#0) followed by the intermediate (#1) and the root (#2).
The s: indicates the certificate subject, and i: indicates the issuing certificate’s subject.
Guidelines to verify the certificate chain is valid
- Subject of each certificate matches the Issuer of the preceding certificate in the chain (except for the Entity certificate).
- Subject and Issuer are the same for the root certificate.
If the certificates in the chain adhere to these guidelines, then the certificate chain is considered to be complete and valid.
- The Subject of the intermediate certificate matches the Issuer of the entity certificate.
- The Subject of the root certificate matches the Issuer of the intermediate certificate.
- The Subject and Issuer are the same in the root certificate.
Example of a valid certificate chain
server certificate
openssl x509 -text -in entity.pem | grep -E '(Subject|Issuer):'
Issuer: C = US, O = Google Trust Services, CN = GTS CA 1O1
Subject: C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.enterprise.apigee.com
Intermediate certificate
openssl x509 -text -in intermediate.pem | grep -E '(Subject|Issuer):'
Issuer: OU = GlobalSign Root CA – R2, O = GlobalSign, CN = GlobalSign
Subject: C = US, O = Google Trust Services, CN = GTS CA 1O1
Root certificate
openssl x509 -text -in root.pem | grep -E '(Subject|Issuer):'
Issuer: OU = GlobalSign Root CA – R2, O = GlobalSign, CN = GlobalSign
Subject: OU = GlobalSign Root CA – R2, O = GlobalSign, CN = GlobalSign
Check SSL Certificate with OpenSSL
Validate certificate chain with server and root Certificate
openssl verify cert.pem
cert.pem: C = Country, ST = State, O = Organization, CN = FQDN
error 20 at 0 depth lookup:unable to get local issuer certificate
We can use the following two commands to make sure that the issuer in the server certificate matches the subject in the ca certificate.
openssl x509 -noout -issuer -in cert.pem
issuer= /CN=the name of the CA
$ openssl x509 -noout -subject -in ca.pem
subject= /CN=the name of the CA
In the following case, we need to add the CAfile to verify the root certificate.
$ openssl verify -CAfile ca.pem cert.pem
cert.pem: OK
Validate certificate chain with server, intermediate, and root Certificate
$ openssl verify cert.pem
cert.pem: C = Countrycode, ST = State, O = Organization, CN = yourdomain.com
error 20 at 0 depth lookup:unable to get local issuer certificate
To complete the validation of the chain, we need to provide the CA certificate file and the intermediate certificate file when validating the server certificate file.
We can do that using the parameters CAfile (to provide the CA certificate) and untrusted (to provide intermediate certificate):
$ openssl verify -CAfile ca.pem -untrusted intermediate.cert.pem cert.pem
cert.pem: OK
If we have multiple intermediate CA certficates, we can use the untrusted parameter multiple times like -untrusted intermediate1.pem -untrusted intermediate2.pem .
Fix routines:X509_check_private_key:key values mismatch in 2 Ways
Related:
- Exploring SSL Certificate Chain with Examples
- Understanding X509 Certificate with Openssl Command
- OpenSSL Command to Generate View Check Certificate
- Converting CER CRT DER PEM PFX Certificate with Openssl
- SSL vs TLS and how to check TLS version in Linux
- Understanding SSH Key RSA DSA ECDSA ED25519
- Understanding server certificates with Examples