OCSP validation - unable to get local issuer certificate

Question

I'm new to setup SSL from the scratch and did my first steps. I bought a SSL cert from RapidSSL for my domain and followed there steps to install the cert. In general the cert is valid and working on my webserver(nginx v1.4.6 - Ubuntu 14.04.1 LTS), but if I'm trying to activate OCSP OCSP I get the following error in my nginx error.log:

OCSP_basic_verify() failed (SSL: error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:Verify error:unable to get local issuer certificate) while requesting certificate status, responder: gv.symcd.com

I tried it also with this command from the command line:

openssl s_client -connect mydomain.tld:443 2>&1 < /dev/null

And got the "same" error like in my error.log:

[...]SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 [...] Start Time: 1411583991 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate)

But if download the GeoTrust Root Certificat and try it with this command:

openssl s_client -connect mydomain.tld:443 -CAfile GeoTrust_Global_CA.pem 2>&1 < /dev/null

Verification is ok:

[...]SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 [...] Start Time: 1411583262 Timeout : 300 (sec) Verify return code: 0 (ok)

So somehow the GeoTrust Root Cert isn't found/delivered.

My nginx site config:

server {
    listen 443;
    server_name mydomain.tld;

    ssl on;
    ssl_certificate /etc/ssl/certs/ssl.crt;
    ssl_certificate_key /etc/ssl/private/ssl.key;


    # Resumption
    ssl_session_cache shared:SSL:20m;

    # Timeout
    ssl_session_timeout 10m;

    # Security options
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;

    # OCSP Stapling
    # It means that you sent status info about your certificate along with the request,
    # instead of making the browser check the certificate with the Certificate Authority.
    # This removes a large portion of the SSL overhead, the CloudFlare post above explains it in more detail.
    ssl_stapling on;
    ssl_stapling_verify on;
    #ssl_trusted_certificate /etc/ssl/certs/ssl.pem;

    #resolver 8.8.8.8 8.8.4.4 valid=300s;
    #resolver_timeout 10s;

    # This forces every request after this one to be over HTTPS
    add_header Strict-Transport-Security "max-age=31536000";[...]};

RapidSSL wrote in his documentation that I should add the following certificates into the ssl.crt with the following order:

myserver.crt
Intermediate CA Bundle (RapidSSL SHA256 CA - G3)
Intermediate CA Bundle (GeoTrust Global CA)

So I did...

Right now I've no idea what I'm doing wrong... hopefully anyone here can help me.

Thank you!

masegaloeh · Accepted Answer · 2015-03-03T21:29:53.940

Those two errors was unrelated although the error message was same.

[...]SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 [...] Start Time: 1411583991 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate)

Above error was issued openssl_client command. As explained by Florian Heigl, you get this error because the openssl_client need the Globalsign Root cert in /etc/ssl/certs.

OCSP_basic_verify() failed (SSL: error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:Verify error:unable to get local issuer certificate) while requesting certificate status, responder: gv.symcd.com

For this error, it was issued by nginx ocsp routine, especially when you add ssl_stapling_verify on; line in nginx.conf.

Here some excerpt from the documentation of ssl_stapling_verify to explain why it throws the error

Syntax: ssl_stapling_verify on | off;

Enables or disables verification of OCSP responses by the server.

For verification to work, the certificate of the server certificate issuer, the root certificate, and all intermediate certificates should be configured as trusted using the ssl_trusted_certificate directive.

In other words, you need provide (2) Intermediate CA Bundle (RapidSSL SHA256 CA - G3) and (3) Intermediate CA Bundle (GeoTrust Global CA) to ssl_trusted_certificate directive.

cat GeoTrustGlobalCA.crt rapidsslG3.crt > ocsp-chain.crt

and add ocsp-chain.crt to ssl_trusted_certificate directive.

Thank you so much! I tried this also, but always tested it with the cli command. — kapale, Sep 25 '14 at 05:38

score 1 · Answer 2 · answered Sep 24 '14 at 19:03

1

I can only answer part of this.

openssl s_client -connect mydomain.tld:443 2>&1 < /dev/null

would need the Globalsign Root cert in /etc/ssl/certs. There is a ca-certificates package, do you have that installed?

answered Sep 24 '14 at 19:03

Florian Heigl

1,440
12
19

I don't understand why to use Globalsign Root cert when dealing with RapidSSL and GeoTrust?? they are different from Globalsign... correct me if I was wrong! – Digital site Jul 19 '15 at 05:11

OCSP validation - unable to get local issuer certificate

2 Answers2

Linked