When OpenSSL returns this error, the program was unable to verify the certificate’s issuer or the topmost certificate of a provided chain. 

This can happen for a few reasons:

  • The certificate chain or certificate wasn’t provide by the other side or was self-signed 

  • The root certificate is not in the local database of trusted root certificates

  • The local database of trusted root certificates was not give or queried by OpenSSL. To explicitly give the path to the certificates, use -CApath or -CAfile.

For example, in Debian or Ubuntu, it would look like this:

-CApath /etc/ssl/certs/ 
-CAfile /etc/ssl/certs/ca-certificates.crt

The result would then be one of the following:

openssl s_client -connect example.com:443 -CApath /etc/ssl/certs/ 
openssl s_client -connect example.com:443 -CAfile /etc/ssl/certs/ca-certificates.crt

While you enter correct Root and Sub CA Root certificates, ensure SSLCACertificateFile has the full chain inside the file.

Need help? Please contact us at support@assembla.com 

Did this answer your question?