OpenSSL "unable to get local issuer certificate" even when passing in the Certificate Authority

Question

I've attempted to setup a certificate authority, and issue a certificate from that authority (with no intermediate inbetween The authority covers *.node.consul, and the certificate is underneath that at: i-0c2e25880dab06f71.node.consul). However when executing openssl verify (passing in the -CAfile option), it seems to still not be able to complete the lookup:

root@i-0c2e25880dab06f71:~# openssl verify -verbose -CAfile /root/ssl-ca.crt /root/ssl-cert.pem
/root/ssl-cert.pem: CN = i-0c2e25880dab06f71.node.consul, emailAddress = ecoan@instructure.com, O = Instructure, OU = Ops, C = US, ST = UT, L = SLC
error 20 at 0 depth lookup:unable to get local issuer certificate

Reading in the certificates with:

openssl x509 -in /root/ssl-cert.pem -text -noout

Leads to the following two outputs:

for the ca:

Certificate:
Data:
    Version: 3 (0x2)
    Serial Number:
        d3:f3:bc:d7:8f:6c:43:2f:ad:9b:6c:3e:1d:13:8e:c4
Signature Algorithm: sha256WithRSAEncryption
    Issuer: CN=*.node.consul/emailAddress=ecoan@instructure.com, O=Instructure, OU=Ops, C=US, ST=UT, L=SLC
    Validity
        Not Before: Jan  1 16:52:31 2018 GMT
        Not After : Jan  1 16:52:31 2038 GMT
    Subject: CN=*.node.consul/emailAddress=ecoan@instructure.com, O=Instructure, OU=Ops, C=US, ST=UT, L=SLC
    Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
            Public-Key: (4096 bit)
            Modulus:
                00:be:15:5d:e3:32:b0:58:bf:01:7b:73:c2:ad:b6:
                7c:59:9f:ca:a0:6a:26:64:8b:56:83:6e:43:b6:aa:
                e9:81:70:39:70:22:bd:10:a4:d8:d1:a1:a1:cb:0d:
                eb:d2:5c:c3:f8:9c:d2:d9:a5:d0:48:65:bb:d1:a8:
                1a:cc:a4:53:27:9a:ca:fc:23:84:e3:f7:59:97:d6:
                05:35:f5:94:5e:af:aa:a8:4f:24:25:0a:8e:e1:21:
                6a:35:a5:e7:da:ed:f4:50:2c:cc:ef:ac:a6:28:da:
                c1:a3:ea:53:84:64:9f:2c:a0:6a:73:6a:8d:e6:7e:
                03:10:dd:42:cc:89:24:13:d7:5d:14:43:e2:cc:9a:
                12:ef:4b:c6:96:fb:20:88:0e:fc:6c:b3:88:ba:ed:
                64:d9:f7:8f:97:e1:50:a0:ae:42:5f:4f:8e:8f:7e:
                40:fd:e5:a3:f4:1d:fc:88:f0:c3:2e:d1:1d:32:fb:
                95:85:00:23:ba:d3:cc:0c:65:8e:be:e0:dd:4f:5f:
                22:fe:26:8d:1c:12:94:0a:d1:44:4d:0c:be:72:56:
                c6:7e:be:cb:81:41:0f:20:d8:31:34:d9:4c:11:ae:
                c5:12:57:35:bf:15:8c:ea:15:88:29:2d:81:c8:11:
                fb:a8:13:7a:cb:eb:68:f8:32:47:98:fa:dc:86:a9:
                07:4a:cf:96:0d:fd:ce:09:48:df:ac:f7:f4:57:d0:
                13:d5:75:cc:3d:63:3c:26:2d:95:88:b7:f9:27:83:
                2a:ff:1f:63:fd:b5:f0:e9:d3:cf:85:3b:7a:6e:0e:
                56:46:70:29:1e:be:3f:02:81:81:0c:0b:d4:88:da:
                7f:93:46:03:d1:0c:73:97:44:33:a3:0b:1a:a0:a6:
                b5:4d:f1:95:ea:37:7f:ac:e2:71:e1:90:94:97:99:
                5f:d8:84:f5:29:9e:9a:86:ff:cd:6e:7d:b0:64:2e:
                a1:21:a8:4a:84:e3:6c:a9:ac:cf:62:3e:8f:fd:71:
                14:c9:c1:dc:99:13:84:9a:47:9a:42:53:52:e0:72:
                32:48:9d:1b:ab:ea:c4:97:24:20:a3:86:e3:d5:d5:
                79:c6:bf:e1:b0:31:a7:8f:8d:bc:0b:f3:b4:ab:03:
                f1:e2:68:08:e0:3a:c3:50:3e:c1:40:8b:42:ae:71:
                7d:7b:24:24:34:75:df:9f:b2:75:16:63:af:7b:58:
                fb:eb:0c:8e:44:a7:1b:bb:59:c9:b4:db:c1:b4:9a:
                c1:b1:42:a5:4b:62:b4:84:ab:c9:b0:6e:fe:db:20:
                9e:32:24:0c:3c:dd:8b:82:9a:f6:75:76:73:6f:73:
                f6:34:d8:02:b7:01:7c:e2:f7:90:43:5e:d0:00:dc:
                0f:4d:e1
            Exponent: 65537 (0x10001)
    X509v3 extensions:
        X509v3 Extended Key Usage: 
            TLS Web Client Authentication, TLS Web Server Authentication
        X509v3 Key Usage: critical
            Digital Signature, Key Encipherment
        X509v3 Basic Constraints: critical
            CA:TRUE, pathlen:1
        X509v3 Subject Alternative Name: critical
            DNS:*.node.consul
Signature Algorithm: sha256WithRSAEncryption
     53:52:50:d2:25:01:8f:7a:fb:03:18:2f:3c:cd:d2:85:4f:d2:
     4d:39:8e:e4:06:bb:fa:8d:9a:9a:ab:e0:8f:ce:bb:6f:74:49:
     1d:72:fb:27:e8:0f:bb:62:40:d7:06:69:71:4f:21:39:ac:ba:
     78:b5:a8:43:8c:2d:6c:87:45:8e:75:9e:a4:79:65:cb:b0:bf:
     47:0c:86:7a:a8:9b:40:80:71:30:a5:fe:db:1f:f2:2e:41:85:
     f2:1d:8a:31:bd:ec:6d:94:58:a5:b5:93:25:6f:b8:bd:4e:13:
     7a:40:d2:e2:bc:41:e6:33:fe:22:55:bb:01:5d:7e:af:8d:62:
     9b:9f:9d:c9:e8:63:4d:7a:b5:f9:13:8f:f3:45:68:a8:1f:e7:
     d5:5b:cc:77:49:eb:c9:26:3d:19:50:b6:34:e8:e4:21:14:37:
     aa:76:d0:e0:77:69:77:ab:6a:da:0d:e7:22:6d:23:61:5c:8b:
     da:64:da:48:5a:6f:01:42:0f:c1:24:06:5c:f6:06:3c:45:3a:
     37:c0:3e:0a:ee:cb:44:aa:d3:a9:74:d0:e2:77:30:d4:0a:8b:
     13:73:ba:a6:a2:3b:02:f0:60:fa:6e:27:20:d1:3d:23:64:38:
     4d:54:36:c5:20:04:d1:2e:68:6d:5c:30:af:ef:5a:a5:7f:a5:
     06:c2:f7:51:40:ec:14:c7:1d:bc:45:7f:fe:77:02:50:aa:37:
     19:9d:2c:02:74:a3:56:e5:d4:36:e9:c0:33:bc:c8:52:e2:c8:
     1e:21:26:83:cb:e3:b6:72:55:df:1e:dc:48:7b:d8:1a:ca:2a:
     21:4f:eb:94:9f:de:82:f8:5b:82:0d:ef:d5:e9:89:99:b4:48:
     ce:d5:9e:a4:ca:3b:c9:e1:19:a5:60:ec:04:36:31:11:b0:31:
     7a:22:64:9c:6e:dd:82:e4:65:96:a2:e3:aa:9c:99:ec:f5:e1:
     48:84:7c:f5:38:00:cb:24:cf:5d:ed:e5:87:a9:86:c5:cb:4f:
     65:6a:35:21:2e:30:cd:e6:85:84:13:e3:ff:9c:72:4d:a8:9c:
     fb:63:01:eb:a8:ae:6f:84:66:b8:bd:fe:0f:c9:17:96:8d:42:
     9d:8c:0c:bc:90:ab:17:19:df:6f:6a:28:fc:8c:50:6d:88:69:
     31:75:6e:d7:6d:f2:f4:70:f0:64:14:c2:fc:57:dc:f3:68:57:
     9d:4c:fe:94:e5:13:d7:9f:ad:ee:68:1b:df:9c:af:bb:f4:73:
     83:d6:0a:54:fa:73:ec:02:f2:f2:87:35:7c:2a:58:df:20:32:
     1a:c2:c2:ba:1d:4f:5f:8c:fe:3c:7e:e7:0c:80:0e:27:57:c2:
     01:48:1f:58:f7:2c:f3:b7

And for the certificate itself:

Certificate:
Data:
    Version: 3 (0x2)
    Serial Number:
        d7:9b:09:48:1f:62:44:95:80:ef:b7:e4:5c:e1:c7:4b
Signature Algorithm: sha256WithRSAEncryption
    Issuer: CN=*.node.consul/emailAddress=ecoan@instructure.com, O=Instructure, OU=Ops, C=US, ST=UT, L=SLC
    Validity
        Not Before: Jan  1 18:41:57 2018 GMT
        Not After : Jan  1 18:41:57 2021 GMT
    Subject: CN=i-02da590eb53768ddc.node.consul/emailAddress=ecoan@instructure.com, O=Instructure, OU=Ops, C=US, ST=UT, L=SLC
    Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
            Public-Key: (4096 bit)
            Modulus:
                00:aa:77:6d:61:52:be:92:78:b6:b2:82:41:93:08:
                86:ba:00:e3:fc:d4:43:2e:3a:e6:49:f8:9d:dc:e5:
                40:f3:18:18:ac:56:ae:a1:96:b6:ff:35:63:97:8b:
                9b:a7:cc:c0:f3:7b:99:82:8e:4c:cf:d4:25:56:c2:
                32:2f:35:08:5f:79:ee:ea:52:02:2b:2f:11:ac:10:
                ea:18:e7:00:b6:52:ee:df:c7:01:7a:68:7e:32:1c:
                63:73:77:43:99:a0:a6:13:05:26:39:e2:4d:b9:e6:
                c1:58:99:02:dc:0c:99:90:1f:d4:79:9e:fe:77:99:
                58:a7:a7:26:42:9e:13:34:f3:e9:c2:f2:3a:6f:72:
                33:55:ad:66:89:4a:39:4b:c9:67:a8:d2:8e:80:75:
                42:c9:01:9e:e7:d0:b1:7a:63:f5:6b:f1:a4:66:be:
                d9:e5:e9:87:4c:2e:99:87:0f:26:1f:2c:19:25:78:
                82:fe:31:e2:26:6f:de:0d:93:75:65:7f:cc:c9:a3:
                24:69:db:7b:57:57:fa:49:ec:39:8c:ac:92:2f:1c:
                cc:3d:e4:e2:6c:48:4b:bb:35:20:74:77:91:80:ad:
                7d:9d:9f:7b:53:7c:bf:98:bb:a6:27:15:de:aa:27:
                e3:8b:87:3b:35:50:ac:6d:36:ba:2b:95:b5:4b:2b:
                ce:6b:84:91:e0:4d:e0:21:fd:d3:80:43:17:98:ff:
                66:b8:7f:32:f9:ed:d3:25:a3:6f:b4:e9:26:56:4c:
                c3:d8:2f:2f:6e:f8:9a:85:4d:a9:05:d2:f5:60:1d:
                42:df:29:75:1b:2c:66:b1:a4:56:8a:0b:43:14:b8:
                7d:62:4d:5a:1b:a6:a1:da:98:64:4e:e2:e2:8b:8d:
                c9:57:f9:7d:58:91:12:d7:dd:7b:52:7c:00:91:bc:
                ab:25:a0:63:91:8c:02:c8:8f:7e:23:80:33:95:b2:
                4a:ea:f9:ee:87:1a:17:f1:85:60:ae:db:f1:d3:63:
                ab:0b:d8:ab:7c:56:90:8f:f5:9a:60:25:2b:81:b5:
                df:bc:f7:0d:9c:47:8a:b6:4d:2b:88:21:cf:bd:d5:
                fe:1a:d7:76:19:03:06:d1:9b:67:42:f9:8f:be:27:
                61:9f:a8:9c:2a:57:96:e1:a2:d8:84:7f:9f:15:bb:
                b2:ae:21:92:7a:4c:42:69:10:63:da:bf:b6:eb:74:
                57:13:6f:d9:c2:a9:99:09:09:b5:d6:ff:e0:c4:eb:
                91:bf:4d:9e:98:3e:e3:8c:69:7a:06:01:f7:d0:75:
                df:d2:6e:78:b2:39:6a:73:70:41:dd:30:f5:00:c0:
                f6:70:d3:63:76:98:01:ee:52:4a:92:77:39:c5:ab:
                99:33:97
            Exponent: 65537 (0x10001)
    X509v3 extensions:
        X509v3 Key Usage: critical
            Digital Signature, Key Encipherment
        X509v3 Basic Constraints: critical
            CA:FALSE
        X509v3 Extended Key Usage: 
            TLS Web Client Authentication, TLS Web Server Authentication
        X509v3 Subject Key Identifier: 
            AA:C7:CB:B6:22:D2:EF:05:72:89:92:DF:2E:44:6B:D5:33:00:D8:06
        X509v3 Subject Alternative Name: critical
            DNS:i-02da590eb53768ddc.node.consul
Signature Algorithm: sha256WithRSAEncryption
     ab:dc:ad:f4:55:af:a6:ca:27:d2:7a:f6:77:b3:4f:1d:14:41:
     7c:56:3a:a0:75:de:1f:0a:3c:7f:50:d0:4d:b0:1b:01:75:4c:
     d0:19:c7:5d:86:c5:ac:85:10:9e:58:22:87:23:70:27:a5:75:
     11:73:6f:2f:8e:f3:90:ca:51:c7:cb:75:46:59:91:3f:d3:f3:
     dd:d4:60:4d:60:e1:82:a9:c6:e8:ac:3e:01:9d:4d:b8:cb:70:
     90:2a:f6:58:ba:dd:44:67:e7:7e:71:70:cc:fc:5a:7e:1e:e4:
     32:e4:2c:43:64:79:69:32:a4:d2:12:5a:fe:3e:e3:47:b9:3d:
     8d:41:16:b5:5e:d8:bd:dd:39:e8:0a:8a:ee:7d:44:fd:98:bc:
     02:79:57:d5:2d:dd:f7:14:87:f5:19:29:80:27:f4:3d:6e:0d:
     0a:ce:78:fd:e1:1e:b3:7e:4b:cd:07:d7:e3:4e:50:35:56:a6:
     8d:ea:3d:b3:ab:99:55:54:27:22:9d:3d:7d:93:37:b6:9d:51:
     5d:f1:64:69:d9:72:de:58:e2:ec:4e:c0:0e:62:77:68:13:5e:
     2d:01:7b:06:ec:8a:23:bc:6f:e5:ee:b5:1d:0b:4d:08:35:6c:
     49:a4:43:24:32:99:ad:fd:34:44:24:ba:49:f7:79:28:0e:88:
     cb:72:9b:ce:c4:9d:fc:e1:5f:3c:d9:f5:18:ae:e9:f4:4a:52:
     72:03:cb:77:23:0d:9b:63:9a:1f:66:fe:6e:f1:78:87:85:80:
     93:39:d7:59:dd:7b:4b:c5:b2:13:7b:f5:ab:78:ac:32:cf:b1:
     b6:2b:08:5f:ba:46:fd:50:82:48:62:81:e6:9d:77:05:25:53:
     40:c1:6d:8b:b2:89:5f:fb:6e:f9:d3:69:e7:d6:f8:7c:5e:72:
     0a:19:d5:bc:ec:4f:f3:91:38:cc:88:58:f1:19:0b:08:8a:76:
     45:c8:3f:30:52:ff:8c:83:01:5e:c8:f7:41:ee:38:13:db:ce:
     9b:86:a3:0b:a3:3d:48:d1:03:2c:ab:6f:1c:b1:46:67:70:13:
     64:99:c3:37:21:af:4d:ce:0a:28:9c:94:67:89:d4:04:5d:a2:
     56:fa:e0:bb:82:5f:75:d4:a5:22:a7:57:53:dc:cb:f1:65:e3:
     df:b6:66:a2:88:39:25:09:b5:84:a8:5b:a7:76:89:a1:46:7b:
     16:d3:df:7f:ab:a2:41:c1:cb:0b:75:98:8c:d6:67:fd:5b:4a:
     ad:50:a9:e0:af:5c:f3:28:a0:aa:80:62:f5:77:4d:17:d4:6a:
     3f:2a:6a:59:47:c4:b1:88:36:f6:55:f2:32:84:6b:70:78:3a:
     d2:b4:13:53:e2:1c:e8:ef

I assume this is probably due to something in the way I've generated the certificates, but I'm not really sure where to check. As it's my understanding error 20 unable to lookup local issuer certificate happens when it can't find a particular cert in the chain. However, I'm not sure why it can't find the full info it needs.

score 6 · Accepted Answer · edited Oct 07 '21 at 07:59

You CA certificates has the following extensions:

X509v3 extensions:
    X509v3 Extended Key Usage: 
        TLS Web Client Authentication, TLS Web Server Authentication
    X509v3 Key Usage: critical
        Digital Signature, Key Encipherment
    X509v3 Basic Constraints: critical
        CA:TRUE, pathlen:1
    X509v3 Subject Alternative Name: critical
        DNS:*.node.consul

Apart from the fact that there is no need for Subject Alternative Name extension and TLS Web Client/Server Authentication key usage for a CA certificate none of the given key usages is needed for a CA but the one which is needed is missing.

Lets see what the key usages you have are needed for. The relevant citations are taken from RFC 5280 section 4.2.1.3 Key Usage.

Digital Signature
The digitalSignature bit is asserted when the subject public key is used for verifying digital signatures, other than signatures on certificates (bit 5) and CRLs (bit 6), such as those used in an entity authentication service, a data origin authentication service, and/or an integrity service.
Key Encipherment
The keyEncipherment bit is asserted when the subject public key is used for enciphering private or secret keys, i.e., for key transport. For example, this bit shall be set when an RSA public key is to be used for encrypting a symmetric content-decryption key or an asymmetric private key.

In other words: none of these key usages is relevant when validating the signature on certificates.

But there is one important key usage needed when validating certificates:

Certificate Sign
The keyCertSign bit is asserted when the subject public key is used for verifying signatures on public key certificates. If the keyCertSign bit is asserted, then the cA bit in the basic constraints extension (Section 4.2.1.9) MUST also be asserted.

Only, this key usage is missing on your CA certificate. That's why it will not use this CA certificate to validate the signature of the leaf certificate and thus it fails to build the trust chain. Once you add this key usage to your CA certificate (and preferable remove all the unneeded key usage, purpose and SAN) it will successfully be used to validate the leaf certificate.

If that was there, it would look like

X509v3 Key Usage: critical
    Digital Signature, Certificate Sign, Key Encipherment

@EvanCarroll: not in OpenSSL, which displays in the bit order defined by the ASN.1 which puts `Certificate Sign` AFTER `Key Encipherment` if both are present (which Steffen didn't recommend anyway) — dave_thompson_085, Apr 24 '19 at 22:50

OpenSSL "unable to get local issuer certificate" even when passing in the Certificate Authority

1 Answers1

Linked