Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
1.1k views
in Technique[技术] by (71.8m points)

ubuntu - Can't verify CA certificate unless CApath or CAfile used

Im having trouble with having OpenSSL connect to a server because of trust issues. I placed the CA certificate on /etc/ssl/certs/ and have run sudo c_rehash and can see that the correct file has been made. I can see that CA certificate is in the ca-certificates.crt. However if I run:

openssl s_client -connect servername.domain.com:636

The command fails with Verify return code: 21 (unable to verify the first certificate)

If I do:

openssl s_client -connect servername.domain.com:636 -CApath /etc/ssl/certs/

I get Verify return code: 0 (ok)

What can I do so I dont have to specify the CApath?

I'm using Ubuntu 13.04.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

You can also set and export the environment variables SSL_CERT_FILE or SSL_CERT_DIR...

export SSL_CERT_FILE=/path/to/ca_bundle.crt

export SSL_CERT_DIR=/path/to/ca/dir

Then you do not have to specify CAfile or CApath in every openssl command.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

2.1m questions

2.1m answers

60 comments

57.0k users

...