Sometimes some weird hangs or trust problems are being reported on systems using an incomplete certificate repository or non-updated ones. incomplete chain results in following error:The only way is to provide the full certification chain server-side. To verify servers are correctly sending all necessary cryptographic code you may issue the following command: $ openssl s_client
e.g. (complete chain: verify error "self signed certificate in certificate chain" may be ignored since it is referring to the root CA AddTrust External CA Root): $ openssl s_client -CAfile /etc/ssl/certs/DigiCert_Assured_ID_Root_CA.pem -connect gino.units.it:443 | head -15 depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root verify error:num=19:self signed certificate in certificate chain verify return:0 CONNECTED(00000003) --- Certificate chain 0 s:/OU=Domain Control Validated/CN=gino.units.it i:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 2 1 s:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 2 i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root --- Server certificate -----BEGIN CERTIFICATE----- MIIFOTCCBCGgAwIBAgIQL5gV6MAGC9mwMq39qSluSDANBgkqhkiG9w0BAQsFADBk depth=1 C = NL, ST = Noord-Holland, L = Amsterdam, O = TERENA, CN = TERENA SSL CA 2 verify error:num=20:unable to get local issuer certificate verify return:0 CONNECTED(00000003) --- Certificate chain 0 s:/OU=Domain Control Validated/CN=mail.dimpo.units.it i:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 2 1 s:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 2 i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority --- Result of complete chain verification should be
Verify return code: 0 (ok) |