I’ve got an odd problem. Updated my LAMP dev machine (Debian) to PHP 7. Afterwards I cannot connect to a specific TLS encrypted API via Curl anymore.
The SSL cert in question is signed by thawte.
curl: (60) SSL certificate problem: unable to get local issuer certificate
which—of course—is also signed by Thawte works.
I can access the API site via HTTPS on other machines, e.g. my Desktop via curl and in the browser. So the cert is definitly valid. SSL Labs rating is A.
Any other Curl requests from my dev machine to other SSL encrypted sites work. My root certs are up to date. To verify, I ran
update-ca-certificates. I even downloaded http://curl.haxx.se/ca/cacert.pem to /etc/ssl/certs and ran
Still the same error.
Is there any way to debug the verifcation process and see which local issuer certificate curl (or openssl) is looking for but not finding, i.e. a file name?
curl -vs https://example.com
tells me (IP+Domain anonymized)
* Hostname was NOT found in DNS cache * Trying 192.0.2.1... * Connected to example.com (192.0.2.1) port 443 (#0) * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS alert, Server hello (2): * SSL certificate problem: unable to get local issuer certificate * Closing connection 0
echo | openssl s_client -connect example.com:443
CONNECTED(00000003) depth=2 C = US, O = "thawte, Inc.", OU = Certification Services Division, OU = "(c) 2006 thawte, Inc. - For authorized use only", CN = thawte Primary Root CA verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=DE/ST=XYZ/CN=*.example.com i:/C=US/O=thawte, Inc./CN=thawte SSL CA - G2 1 s:/C=US/O=thawte, Inc./CN=thawte SSL CA - G2 i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA 2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/[email protected] --- Server certificate -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- subject=/C=DE/ST=XYZ/CN=*.example.com issuer=/C=US/O=thawte, Inc./CN=thawte SSL CA - G2 --- No client certificate CA names sent --- SSL handshake has read 4214 bytes and written 421 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: [...] Session-ID-ctx: Master-Key: [...] Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 5a 95 df 40 2c c9 6b d5-4a 50 75 c5 a3 80 0a 2d [email protected],.k.JPu....- [...] 00b0 - d5 b9 e8 25 00 c5 c7 da-ce 73 fb f2 c5 46 c4 24 ...%.....s...F.$ Start Time: 1455111516 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) --- DONE