Third Party Intermediate CA bundles do not appear to be valid
Environment
- Red Hat Enterprise Linux (RHEL) 6.x
- Red Hat Enterprise Virtualization (RHEV) 3.x
- Third-party SSL certificates for Apache/HTTPS
Issue
When trying to use a third party Intermediate CA bundle, openssl verify produces this error:
error 20 at 0 depth lookup:unable to get local issuer certificate
Resolution
Most intermediate CA bundles do not contain the root CA bundle. These intermediate CA bundles rely on updated root CA bundles provided by the OS. In the case of RHEL, they are provided by the ca-certificates package. If this package is out of date, the intermediate CA bundle will not be able to locate a valid root CA bundle on the system.
The solution is to update ca-certificates:
# yum update ca-certificates
Root Cause
An out of date ca-certificates caused the intermediate CA bundle to fail to locate a valid root CA bundle.
Diagnostic Steps
- Get an idea of what system files
opensslloads when verifying a CA bundle:
$ strace openssl verify sf_bundle-g2-g1.crt 2>&1|grep etcaccess("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
access("/etc/system-fips", F_OK) = -1 ENOENT (No such file or directory)
open("/etc/pki/tls/openssl.cnf", O_RDONLY) = 3
open("/etc/pki/tls/cert.pem", O_RDONLY) = 3
So, openssl appears to use /etc/pki/tls/cert.pem for root CA's
- Find out what package contains that file
# rpm -qf /etc/pki/tls/cert.pem
ca-certificates-2010.63-3.el6_1.5.noarch
- Verify the Intermediate CA bundle was generated later than
2010(in this case)
$ openssl x509 -inform PEM -in sf_bundle-g2-g1.crt -text|grep Before
Not Before: May 3 07:00:00 2011 GMT
- Upgrade
ca-certificates, and re-run theopenssl verify
# yum update ca-certificates
# openssl verify sf_bundle-g2-g1.crt
sf_bundle-g2-g1.crt: OK
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
