Third Party Intermediate CA bundles do not appear to be valid

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux (RHEL) 6.x
  • Red Hat Enterprise Virtualization (RHEV) 3.x
  • Third-party SSL certificates for Apache/HTTPS

Issue

When trying to use a third party Intermediate CA bundle, openssl verify produces this error:

error 20 at 0 depth lookup:unable to get local issuer certificate

Resolution

Most intermediate CA bundles do not contain the root CA bundle. These intermediate CA bundles rely on updated root CA bundles provided by the OS. In the case of RHEL, they are provided by the ca-certificates package. If this package is out of date, the intermediate CA bundle will not be able to locate a valid root CA bundle on the system.

The solution is to update ca-certificates:

# yum update ca-certificates

Root Cause

An out of date ca-certificates caused the intermediate CA bundle to fail to locate a valid root CA bundle.

Diagnostic Steps

  • Get an idea of what system files openssl loads when verifying a CA bundle:
$ strace openssl verify sf_bundle-g2-g1.crt 2>&1|grep etcaccess("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
access("/etc/system-fips", F_OK)        = -1 ENOENT (No such file or directory)
open("/etc/pki/tls/openssl.cnf", O_RDONLY) = 3
open("/etc/pki/tls/cert.pem", O_RDONLY) = 3

So, openssl appears to use /etc/pki/tls/cert.pem for root CA's

  • Find out what package contains that file
# rpm -qf /etc/pki/tls/cert.pem
ca-certificates-2010.63-3.el6_1.5.noarch
  • Verify the Intermediate CA bundle was generated later than 2010 (in this case)
$ openssl x509 -inform PEM -in sf_bundle-g2-g1.crt -text|grep Before
            Not Before: May  3 07:00:00 2011 GMT
  • Upgrade ca-certificates, and re-run the openssl verify
# yum update ca-certificates
# openssl verify sf_bundle-g2-g1.crt
sf_bundle-g2-g1.crt: OK

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.