openssl s_client -connect www.verisign.com:443 错误unable to get local issuer certificate

    $ openssl s_client -connect  www.verisign.com:443

CONNECTED(00000003)
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=2158113/C=US/postalCode=94043/ST=California/L=Mountain View/street=350 Ellis Street/O=Symantec Corporation/OU=Infrastructure Operations  /CN=www.verisign.com
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIG0jCCBbqgAwIBAgIQRHT74McgkNIJ4CcjNXxCZzANBgkqhkiG9w0BAQUFADCB
vjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNjE4MDYGA1UEAxMv
VmVyaVNpZ24gQ2xhc3MgMyBFeHRlbmRlZCBWYWxpZGF0aW9uIFNTTCBTR0MgQ0Ew
HhcNMTQwMTE2MDAwMDAwWhcNMTYwMTE2MjM1OTU5WjCCASYxEzARBgsrBgEEAYI3
PAIBAxMCVVMxGTAXBgsrBgEEAYI3PAIBAhMIRGVsYXdhcmUxHTAbBgNVBA8TFFBy
aXZhdGUgT3JnYW5pemF0aW9uMRAwDgYDVQQFEwcyMTU4MTEzMQswCQYDVQQGEwJV
UzEOMAwGA1UEERQFOTQwNDMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcU
DU1vdW50YWluIFZpZXcxGTAXBgNVBAkUEDM1MCBFbGxpcyBTdHJlZXQxHTAbBgNV
BAoUFFN5bWFudGVjIENvcnBvcmF0aW9uMSQwIgYDVQQLFBtJbmZyYXN0cnVjdHVy
ZSBPcGVyYXRpb25zICAxGTAXBgNVBAMUEHd3dy52ZXJpc2lnbi5jb20wggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrG90iUEhTlnwtoAfqXUHUPBQo3JEK
BWEewf8/71RFR0O6J5mxF88ODxs/HRGK1wrd8WClqnhMBsvITNB9m+escDpBWpwG
NZp4TaYW9HxxtZ7heaeJjso8M/k3NHdXuFsuPw5L8xxOv9aI0H87LMmImenLxCRm
pJQNAKe+jfNTqpuK1tUEYdLzR0n4u76ZDcGSYSplbCjLcamLTHAhijQQWiUgWC0f
Unm4z2zyzT4QwzXIfuf7BCSLfCGY3/KuKO4vybtiUg6ALqMW3JjA149r6DHjIkib
wq2wJhFnspm74y0wJq3GE5avUyUrz8XoXexSJPTRuz6jyVayEXeDZvcJAgMBAAGj
ggJfMIICWzCB1QYDVR0RBIHNMIHKghB3d3cudmVyaXNpZ24uY29tggx2ZXJpc2ln
bi5jb22CEHd3dy52ZXJpc2lnbi5uZXSCDHZlcmlzaWduLm5ldIIRd3d3LnZlcmlz
aWduLm1vYmmCDXZlcmlzaWduLm1vYmmCD3d3dy52ZXJpc2lnbi5ldYILdmVyaXNp
Z24uZXWCFWZvcm1zLndzLnN5bWFudGVjLmNvbYINc3NscmV2aWV3LmNvbYIRd3d3
LnNzbHJldmlldy5jb22CD3d3dy5zeW1hdXRoLmNvbTAJBgNVHRMEAjAAMA4GA1Ud
DwEB/wQEAwIFoDAoBgNVHSUEITAfBggrBgEFBQcDAQYIKwYBBQUHAwIGCWCGSAGG
+EIEATBEBgNVHSAEPTA7MDkGC2CGSAGG+EUBBxcGMCowKAYIKwYBBQUHAgEWHGh0
dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9jcHMwHQYDVR0OBBYEFFhbQy8r9duhEyHt
180crp3UFY8gMB8GA1UdIwQYMBaAFE5DyB127zdTek/yWG+U8zji1b3fMD4GA1Ud
HwQ3MDUwM6AxoC+GLWh0dHA6Ly9FVkludGwtY3JsLnZlcmlzaWduLmNvbS9FVklu
dGwyMDA2LmNybDB2BggrBgEFBQcBAQRqMGgwKwYIKwYBBQUHMAGGH2h0dHA6Ly9F
VkludGwtb2NzcC52ZXJpc2lnbi5jb20wOQYIKwYBBQUHMAKGLWh0dHA6Ly9FVklu
dGwtYWlhLnZlcmlzaWduLmNvbS9FVkludGwyMDA2LmNlcjANBgkqhkiG9w0BAQUF
AAOCAQEAPSZt7qa0z7AbV78LQ20T2c587Pb389khyLLyxQSx/nKqtYIs0sH9qvsd
rqEk3ThUYbTfI4Owh0a87uCCpBTPf/1c1581waHoId7VibSq3IwR71RPhSJu9zmL
J/GSjs/NWcVgbpUI7JRQlyqffVmMn3w3La/NZBSXspFSMzmDG0G+hUZJJYPabrfi
nsedFav2e5BihDgGISbMhxeXGuSsQYLbOF8B9JPUwgBnDCO6IgKGeww+Zb3Uh1FB
mCydpZlP4Qn8tkaegGMXtlv4rzdt7wtKpELSbhotQHlWr06hD9XUlh7UOBvShhM7
UDhMFUQ0HjLf/9A11pb71CRaoHfFbQ==
-----END CERTIFICATE-----
subject=/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=2158113/C=US/postalCode=94043/ST=California/L=Mountain View/street=350 Ellis Street/O=Symantec Corporation/OU=Infrastructure Operations  /CN=www.verisign.com
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
---
No client certificate CA names sent
---
SSL handshake has read 5430 bytes and written 518 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 2F34B55CEBC134802617285A5BB8119BD914D3180158DD9FB3FD6386C7AC1679
    Session-ID-ctx:
    Master-Key: A8CE8B9A45E6685ABFE144BF8A7DF285183EF4828F5E1231C452C0B895715D774CBF3733B7C3B9495060F6B034E84EF8
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket:
    0000 - 63 33 8e 6a 7d 57 54 24-b9 18 f3 9c c3 91 70 40   c3.j}WT$......p@
    0010 - 0f 9c ee e5 e5 09 58 8b-92 9e 1a 65 5b a3 09 50   ......X....e[..P
    0020 - c1 d5 81 c3 27 38 87 1e-ce 2c 05 47 df d7 c1 e5   ....'8...,.G....
    0030 - 43 cd f5 17 4f b2 60 d1-79 1f b3 8b 03 52 fe e4   C...O.`.y....R..
    0040 - d5 cb 46 67 ba 61 b4 3f-70 9d 85 16 69 79 e8 b0   ..Fg.a.?p...iy..
    0050 - 97 c7 e4 5d 17 5d ac 0f-6e f6 21 ea f5 c6 dc e7   ...].]..n.!.....
    0060 - 79 88 36 88 a4 55 39 1a-3d 56 4c 7b 06 5c 5d c4   y.6..U9.=VL{.\].
    0070 - 31 3a 13 89 11 b7 89 db-b5 56 43 ca a9 a4 1e df   1:.......VC.....
    0080 - 7e ea f6 2a 25 f0 64 84-68 39 5c 3a 59 23 e3 69   ~..*%.d.h9\:Y#.i
    0090 - b8 05 70 ec 57 cd aa 9a-89 b6 52 96 b9 a7 37 4c   ..p.W.....R...7L
    00a0 - b0 45 7e 1f f4 ec f9 43-6a a8 94 20 f8 b6 43 7b   .E~....Cj.. ..C{
    00b0 - ba 7b e6 38 4f d5 95 09-0b 2e 6d e8 bc 7f 02 28   .{.8O.....m....(

    Start Time: 1392865536
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---

openssl s_client -connect www.verisign.com:443 -CApath /etc/ca-certificates

先弄明白 SSL/TLS 的具体过程，再看 man s_client。

<VirtualHost _default_:443> 
    SSLProxyEngine on 
    SSLEngine on 
    #SSLSessionCacheTimeout  2100 
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP 
    SSLCertificateFile /etc/httpd/common/server.crt 
    SSLCertificateKeyFile /etc/httpd/common/server.key 
    SSLCertificateChainFile /etc/httpd/common/server_intermediate.pem 
    Include conf/conf/xxx.conf 
</VirtualHost>

这是我在apache上面的配置文件，浏览器已经认可了证书，但是用openssl验证的时候

CONNECTED(00000003)
depth=0 ....................
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 ........................
verify error:num=27:certificate not trusted
verify return:1
depth=0 ....................
verify error:num=21:unable to verify the first certificate
verify return:1

Verify return code: 21 (unable to verify the first certificate)

把 Server certificate这一部分拷贝出来，就是

存成CA.cert
openssl s_client -CAfile CA.cert -connect www.verisign.com:443

【热门文章】