When OpenSSL returns this error, the program was unable to verify the certificate’s issuer or the topmost certificate of a provided chain.
This can happen for a few reasons:
- The certificate chain or certificate wasn’t provide by the other side or was self-signed
- The root certificate is not in the local database of trusted root certificates
- The local database of trusted root certificates was not give or queried by OpenSSL. To explicitly give the path to the certificates, use -CApath or -CAfile.
For example, in Debian or Ubuntu, it would look like this:
The result would then be one of the following:
openssl s_client -connect example.com:443 -CApath /etc/ssl/certs/
openssl s_client -connect example.com:443 -CAfile /etc/ssl/certs/ca-certificates.crt
While you enter correct Root and Sub CA Root certificates, ensure SSLCACertificateFile has the full chain inside the file.
Need help? Please contact us at firstname.lastname@example.org