Follow

Issue: When Updating SSL Certificate, Result may end up with OpenSSL "error 20 at 0 depth lookup:unable to get local issuer certificate"

Description

  • When Updating SSL Certificate in Portal, OpenSSL is used to verify that the cert/key (along with passphrase and any intermediate certificates are valid)
    • If one dependency is not valid, an error message should appear
      • "error 20 at 0 depth lookup:unable to get local issuer certificate"

If you're looking for How to Upload SSL Certificates, see SSL Workflow: How to Upload SSL Certificates, Create SSL Profiles, and Add SSL Profiles to Proxy

 

Environment

  • Silverline WAF
  • Silverline DDoS
  • Proxy/Proxies
  • SSL certificate/SSL profile

 

Cause

  • OpenSSL detected that something is wrong with the certificate, key, passphrase, and/or intermediate certificate.

 

Resolution

Cause: Invalid Intermediate/RootCA

  • To locate the exact issue, please open up the SSL certificate to review for additional errors
    • Under Config > Proxy Configuration > SSL Management 
    • Use "View Certificate" button to view the Certificate Output
      • For Intermediate/RootCA Certificate error
      • Certificate:
            Data:
                Version: 3 (0x2)
                Serial Number:
                    00:e2:15:51:ea:00:00:e8:00:1e:e3:f6
            Signature Algorithm: sha256WithRSAEncryption
                Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2
                Validity
                    Not Before: Feb 01 00:00:00 2020 GMT
                    Not After : Feb 01 00:00:00 2022 GMT
                Subject: OU=Domain Control Validated, CN=www.example.com
                Subject Public Key Info:
                    Public Key Algorithm: rsaEncryption
                        Public-Key: (2048 bit)
        ...
        ...
      • The intermediate certificate to be used, in this example, is "GlobalSign Organization Validation CA - SHA256 - G2" as it is right underneath "Signature Algorithm" and is on the same line as "Issuer"
      • Ensure that the intermediate certificate is the same name as the one found in the certificate
        • The intermediate in this example should say like next:
          Subject: OU=Domain Control Validated, CN=GlobalSign Organization Validation CA - SHA256 - G2
        • The CN from the subject of the intermediate should be the same as the CN of the issuer of the certificate.

Missing Intermediate Certificate

Download Root certificate from the Certificate and Key which have open SSL error:

 

mceclip0.png

  1. Copy it to your local Linux machine and find the issuer certificate
    openssl x509 -in certificate.crt -noout -text

    (...)

    Authority Information Access:
    CA Issuers - URI:http://trust.quovadisglobal.com/qvsslg3.crt
    OCSP - URI:http://ocsp.quovadisglobal.com

    (...)
  2. Download correct Intermediate certificate with your browser. From above example http://trust.quovadisglobal.com/qvsslg3.crt
  3. Convert to pem
  4. openssl x509 -inform der -in qvsslg3.crt -out intermediate.crt
  5. (Alternatively)
    curl $(openssl x509 -in certificate.crt -text | grep "CA Issuers" | cut -d '-' -f 2 | cut -c 6-) > tmp_inter_cert.der
    openssl x509 -inform der -in tmp_inter_cert.der -out intermediate.crt
    rm tmp_inter_cert.der
  6. Add Intermediate certificate to the portal.

 

Related Content

Was this article helpful?
2 out of 2 found this helpful
Have more questions? Submit a request