I've attempted to setup a certificate authority, and issue a certificate from that authority (with no intermediate inbetween The authority covers *.node.consul
, and the certificate is underneath that at: i-0c2e25880dab06f71.node.consul
). However when executing openssl verify (passing in the -CAfile option), it seems to still not be able to complete the lookup:
root@i-0c2e25880dab06f71:~# openssl verify -verbose -CAfile /root/ssl-ca.crt /root/ssl-cert.pem
/root/ssl-cert.pem: CN = i-0c2e25880dab06f71.node.consul, emailAddress = ecoan@instructure.com, O = Instructure, OU = Ops, C = US, ST = UT, L = SLC
error 20 at 0 depth lookup:unable to get local issuer certificate
Reading in the certificates with:
openssl x509 -in /root/ssl-cert.pem -text -noout
Leads to the following two outputs:
for the ca:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
d3:f3:bc:d7:8f:6c:43:2f:ad:9b:6c:3e:1d:13:8e:c4
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=*.node.consul/emailAddress=ecoan@instructure.com, O=Instructure, OU=Ops, C=US, ST=UT, L=SLC
Validity
Not Before: Jan 1 16:52:31 2018 GMT
Not After : Jan 1 16:52:31 2038 GMT
Subject: CN=*.node.consul/emailAddress=ecoan@instructure.com, O=Instructure, OU=Ops, C=US, ST=UT, L=SLC
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:be:15:5d:e3:32:b0:58:bf:01:7b:73:c2:ad:b6:
7c:59:9f:ca:a0:6a:26:64:8b:56:83:6e:43:b6:aa:
e9:81:70:39:70:22:bd:10:a4:d8:d1:a1:a1:cb:0d:
eb:d2:5c:c3:f8:9c:d2:d9:a5:d0:48:65:bb:d1:a8:
1a:cc:a4:53:27:9a:ca:fc:23:84:e3:f7:59:97:d6:
05:35:f5:94:5e:af:aa:a8:4f:24:25:0a:8e:e1:21:
6a:35:a5:e7:da:ed:f4:50:2c:cc:ef:ac:a6:28:da:
c1:a3:ea:53:84:64:9f:2c:a0:6a:73:6a:8d:e6:7e:
03:10:dd:42:cc:89:24:13:d7:5d:14:43:e2:cc:9a:
12:ef:4b:c6:96:fb:20:88:0e:fc:6c:b3:88:ba:ed:
64:d9:f7:8f:97:e1:50:a0:ae:42:5f:4f:8e:8f:7e:
40:fd:e5:a3:f4:1d:fc:88:f0:c3:2e:d1:1d:32:fb:
95:85:00:23:ba:d3:cc:0c:65:8e:be:e0:dd:4f:5f:
22:fe:26:8d:1c:12:94:0a:d1:44:4d:0c:be:72:56:
c6:7e:be:cb:81:41:0f:20:d8:31:34:d9:4c:11:ae:
c5:12:57:35:bf:15:8c:ea:15:88:29:2d:81:c8:11:
fb:a8:13:7a:cb:eb:68:f8:32:47:98:fa:dc:86:a9:
07:4a:cf:96:0d:fd:ce:09:48:df:ac:f7:f4:57:d0:
13:d5:75:cc:3d:63:3c:26:2d:95:88:b7:f9:27:83:
2a:ff:1f:63:fd:b5:f0:e9:d3:cf:85:3b:7a:6e:0e:
56:46:70:29:1e:be:3f:02:81:81:0c:0b:d4:88:da:
7f:93:46:03:d1:0c:73:97:44:33:a3:0b:1a:a0:a6:
b5:4d:f1:95:ea:37:7f:ac:e2:71:e1:90:94:97:99:
5f:d8:84:f5:29:9e:9a:86:ff:cd:6e:7d:b0:64:2e:
a1:21:a8:4a:84:e3:6c:a9:ac:cf:62:3e:8f:fd:71:
14:c9:c1:dc:99:13:84:9a:47:9a:42:53:52:e0:72:
32:48:9d:1b:ab:ea:c4:97:24:20:a3:86:e3:d5:d5:
79:c6:bf:e1:b0:31:a7:8f:8d:bc:0b:f3:b4:ab:03:
f1:e2:68:08:e0:3a:c3:50:3e:c1:40:8b:42:ae:71:
7d:7b:24:24:34:75:df:9f:b2:75:16:63:af:7b:58:
fb:eb:0c:8e:44:a7:1b:bb:59:c9:b4:db:c1:b4:9a:
c1:b1:42:a5:4b:62:b4:84:ab:c9:b0:6e:fe:db:20:
9e:32:24:0c:3c:dd:8b:82:9a:f6:75:76:73:6f:73:
f6:34:d8:02:b7:01:7c:e2:f7:90:43:5e:d0:00:dc:
0f:4d:e1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:1
X509v3 Subject Alternative Name: critical
DNS:*.node.consul
Signature Algorithm: sha256WithRSAEncryption
53:52:50:d2:25:01:8f:7a:fb:03:18:2f:3c:cd:d2:85:4f:d2:
4d:39:8e:e4:06:bb:fa:8d:9a:9a:ab:e0:8f:ce:bb:6f:74:49:
1d:72:fb:27:e8:0f:bb:62:40:d7:06:69:71:4f:21:39:ac:ba:
78:b5:a8:43:8c:2d:6c:87:45:8e:75:9e:a4:79:65:cb:b0:bf:
47:0c:86:7a:a8:9b:40:80:71:30:a5:fe:db:1f:f2:2e:41:85:
f2:1d:8a:31:bd:ec:6d:94:58:a5:b5:93:25:6f:b8:bd:4e:13:
7a:40:d2:e2:bc:41:e6:33:fe:22:55:bb:01:5d:7e:af:8d:62:
9b:9f:9d:c9:e8:63:4d:7a:b5:f9:13:8f:f3:45:68:a8:1f:e7:
d5:5b:cc:77:49:eb:c9:26:3d:19:50:b6:34:e8:e4:21:14:37:
aa:76:d0:e0:77:69:77:ab:6a:da:0d:e7:22:6d:23:61:5c:8b:
da:64:da:48:5a:6f:01:42:0f:c1:24:06:5c:f6:06:3c:45:3a:
37:c0:3e:0a:ee:cb:44:aa:d3:a9:74:d0:e2:77:30:d4:0a:8b:
13:73:ba:a6:a2:3b:02:f0:60:fa:6e:27:20:d1:3d:23:64:38:
4d:54:36:c5:20:04:d1:2e:68:6d:5c:30:af:ef:5a:a5:7f:a5:
06:c2:f7:51:40:ec:14:c7:1d:bc:45:7f:fe:77:02:50:aa:37:
19:9d:2c:02:74:a3:56:e5:d4:36:e9:c0:33:bc:c8:52:e2:c8:
1e:21:26:83:cb:e3:b6:72:55:df:1e:dc:48:7b:d8:1a:ca:2a:
21:4f:eb:94:9f:de:82:f8:5b:82:0d:ef:d5:e9:89:99:b4:48:
ce:d5:9e:a4:ca:3b:c9:e1:19:a5:60:ec:04:36:31:11:b0:31:
7a:22:64:9c:6e:dd:82:e4:65:96:a2:e3:aa:9c:99:ec:f5:e1:
48:84:7c:f5:38:00:cb:24:cf:5d:ed:e5:87:a9:86:c5:cb:4f:
65:6a:35:21:2e:30:cd:e6:85:84:13:e3:ff:9c:72:4d:a8:9c:
fb:63:01:eb:a8:ae:6f:84:66:b8:bd:fe:0f:c9:17:96:8d:42:
9d:8c:0c:bc:90:ab:17:19:df:6f:6a:28:fc:8c:50:6d:88:69:
31:75:6e:d7:6d:f2:f4:70:f0:64:14:c2:fc:57:dc:f3:68:57:
9d:4c:fe:94:e5:13:d7:9f:ad:ee:68:1b:df:9c:af:bb:f4:73:
83:d6:0a:54:fa:73:ec:02:f2:f2:87:35:7c:2a:58:df:20:32:
1a:c2:c2:ba:1d:4f:5f:8c:fe:3c:7e:e7:0c:80:0e:27:57:c2:
01:48:1f:58:f7:2c:f3:b7
And for the certificate itself:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
d7:9b:09:48:1f:62:44:95:80:ef:b7:e4:5c:e1:c7:4b
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=*.node.consul/emailAddress=ecoan@instructure.com, O=Instructure, OU=Ops, C=US, ST=UT, L=SLC
Validity
Not Before: Jan 1 18:41:57 2018 GMT
Not After : Jan 1 18:41:57 2021 GMT
Subject: CN=i-02da590eb53768ddc.node.consul/emailAddress=ecoan@instructure.com, O=Instructure, OU=Ops, C=US, ST=UT, L=SLC
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:aa:77:6d:61:52:be:92:78:b6:b2:82:41:93:08:
86:ba:00:e3:fc:d4:43:2e:3a:e6:49:f8:9d:dc:e5:
40:f3:18:18:ac:56:ae:a1:96:b6:ff:35:63:97:8b:
9b:a7:cc:c0:f3:7b:99:82:8e:4c:cf:d4:25:56:c2:
32:2f:35:08:5f:79:ee:ea:52:02:2b:2f:11:ac:10:
ea:18:e7:00:b6:52:ee:df:c7:01:7a:68:7e:32:1c:
63:73:77:43:99:a0:a6:13:05:26:39:e2:4d:b9:e6:
c1:58:99:02:dc:0c:99:90:1f:d4:79:9e:fe:77:99:
58:a7:a7:26:42:9e:13:34:f3:e9:c2:f2:3a:6f:72:
33:55:ad:66:89:4a:39:4b:c9:67:a8:d2:8e:80:75:
42:c9:01:9e:e7:d0:b1:7a:63:f5:6b:f1:a4:66:be:
d9:e5:e9:87:4c:2e:99:87:0f:26:1f:2c:19:25:78:
82:fe:31:e2:26:6f:de:0d:93:75:65:7f:cc:c9:a3:
24:69:db:7b:57:57:fa:49:ec:39:8c:ac:92:2f:1c:
cc:3d:e4:e2:6c:48:4b:bb:35:20:74:77:91:80:ad:
7d:9d:9f:7b:53:7c:bf:98:bb:a6:27:15:de:aa:27:
e3:8b:87:3b:35:50:ac:6d:36:ba:2b:95:b5:4b:2b:
ce:6b:84:91:e0:4d:e0:21:fd:d3:80:43:17:98:ff:
66:b8:7f:32:f9:ed:d3:25:a3:6f:b4:e9:26:56:4c:
c3:d8:2f:2f:6e:f8:9a:85:4d:a9:05:d2:f5:60:1d:
42:df:29:75:1b:2c:66:b1:a4:56:8a:0b:43:14:b8:
7d:62:4d:5a:1b:a6:a1:da:98:64:4e:e2:e2:8b:8d:
c9:57:f9:7d:58:91:12:d7:dd:7b:52:7c:00:91:bc:
ab:25:a0:63:91:8c:02:c8:8f:7e:23:80:33:95:b2:
4a:ea:f9:ee:87:1a:17:f1:85:60:ae:db:f1:d3:63:
ab:0b:d8:ab:7c:56:90:8f:f5:9a:60:25:2b:81:b5:
df:bc:f7:0d:9c:47:8a:b6:4d:2b:88:21:cf:bd:d5:
fe:1a:d7:76:19:03:06:d1:9b:67:42:f9:8f:be:27:
61:9f:a8:9c:2a:57:96:e1:a2:d8:84:7f:9f:15:bb:
b2:ae:21:92:7a:4c:42:69:10:63:da:bf:b6:eb:74:
57:13:6f:d9:c2:a9:99:09:09:b5:d6:ff:e0:c4:eb:
91:bf:4d:9e:98:3e:e3:8c:69:7a:06:01:f7:d0:75:
df:d2:6e:78:b2:39:6a:73:70:41:dd:30:f5:00:c0:
f6:70:d3:63:76:98:01:ee:52:4a:92:77:39:c5:ab:
99:33:97
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Subject Key Identifier:
AA:C7:CB:B6:22:D2:EF:05:72:89:92:DF:2E:44:6B:D5:33:00:D8:06
X509v3 Subject Alternative Name: critical
DNS:i-02da590eb53768ddc.node.consul
Signature Algorithm: sha256WithRSAEncryption
ab:dc:ad:f4:55:af:a6:ca:27:d2:7a:f6:77:b3:4f:1d:14:41:
7c:56:3a:a0:75:de:1f:0a:3c:7f:50:d0:4d:b0:1b:01:75:4c:
d0:19:c7:5d:86:c5:ac:85:10:9e:58:22:87:23:70:27:a5:75:
11:73:6f:2f:8e:f3:90:ca:51:c7:cb:75:46:59:91:3f:d3:f3:
dd:d4:60:4d:60:e1:82:a9:c6:e8:ac:3e:01:9d:4d:b8:cb:70:
90:2a:f6:58:ba:dd:44:67:e7:7e:71:70:cc:fc:5a:7e:1e:e4:
32:e4:2c:43:64:79:69:32:a4:d2:12:5a:fe:3e:e3:47:b9:3d:
8d:41:16:b5:5e:d8:bd:dd:39:e8:0a:8a:ee:7d:44:fd:98:bc:
02:79:57:d5:2d:dd:f7:14:87:f5:19:29:80:27:f4:3d:6e:0d:
0a:ce:78:fd:e1:1e:b3:7e:4b:cd:07:d7:e3:4e:50:35:56:a6:
8d:ea:3d:b3:ab:99:55:54:27:22:9d:3d:7d:93:37:b6:9d:51:
5d:f1:64:69:d9:72:de:58:e2:ec:4e:c0:0e:62:77:68:13:5e:
2d:01:7b:06:ec:8a:23:bc:6f:e5:ee:b5:1d:0b:4d:08:35:6c:
49:a4:43:24:32:99:ad:fd:34:44:24:ba:49:f7:79:28:0e:88:
cb:72:9b:ce:c4:9d:fc:e1:5f:3c:d9:f5:18:ae:e9:f4:4a:52:
72:03:cb:77:23:0d:9b:63:9a:1f:66:fe:6e:f1:78:87:85:80:
93:39:d7:59:dd:7b:4b:c5:b2:13:7b:f5:ab:78:ac:32:cf:b1:
b6:2b:08:5f:ba:46:fd:50:82:48:62:81:e6:9d:77:05:25:53:
40:c1:6d:8b:b2:89:5f:fb:6e:f9:d3:69:e7:d6:f8:7c:5e:72:
0a:19:d5:bc:ec:4f:f3:91:38:cc:88:58:f1:19:0b:08:8a:76:
45:c8:3f:30:52:ff:8c:83:01:5e:c8:f7:41:ee:38:13:db:ce:
9b:86:a3:0b:a3:3d:48:d1:03:2c:ab:6f:1c:b1:46:67:70:13:
64:99:c3:37:21:af:4d:ce:0a:28:9c:94:67:89:d4:04:5d:a2:
56:fa:e0:bb:82:5f:75:d4:a5:22:a7:57:53:dc:cb:f1:65:e3:
df:b6:66:a2:88:39:25:09:b5:84:a8:5b:a7:76:89:a1:46:7b:
16:d3:df:7f:ab:a2:41:c1:cb:0b:75:98:8c:d6:67:fd:5b:4a:
ad:50:a9:e0:af:5c:f3:28:a0:aa:80:62:f5:77:4d:17:d4:6a:
3f:2a:6a:59:47:c4:b1:88:36:f6:55:f2:32:84:6b:70:78:3a:
d2:b4:13:53:e2:1c:e8:ef
I assume this is probably due to something in the way I've generated the certificates, but I'm not really sure where to check. As it's my understanding error 20 unable to lookup local issuer certificate happens when it can't find a particular cert in the chain. However, I'm not sure why it can't find the full info it needs.