[squeak-dev] SSL/Socket error code interpretation
Tobias Pape
Das.Linux at gmx.de
Tue May 12 06:06:25 UTC 2020
>>> Can anyone reassure me or correct me on that?
>>
>> The 20 does not represent a SqueakSSL error code but an OpenSSL one:
>>
>> 20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate
>> the issuer certificate could not be found: this occurs if the issuer certificate of an untrusted certificate cannot be found.
>>
>> Which probably means that openssl does not find the COMODO issuer cert in its location.
>> Maybe we also did not set the path to the local cert store correctly...
>>
>> When I use openssl s_client from macOS 10.12 OpenSSL (0.9.8), I get a similar result:
>>
>> $ openssl s_client -connect sagetea.ai:443
>> CONNECTED(00000003)
>> depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=sagetea.ai
>> verify error:num=20:unable to get local issuer certificate
>> verify return:1
>> depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = sagetea.ai
>> verify error:num=21:unable to verify the first certificate
>> verify return:1
>> ....
>>
>> same for OpenSSL 1.1 and LibreSSL.
>>
>> So, unless you have the Comodo intermediate Cert somewhere in a local cert store, 20 is correct.
>
> Aaand this is a common thing since >5 years:
>
> https://stackoverflow.com/questions/25213923/ssl-site-and-browser-warning#25214924
And one More: curl on my Linux box does also no know about that cert:
% curl https://sagetea.ai
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
zsh: exit 60 curl https://sagetea.ai
(on mac, this works as it uses SecureTransport, if I'm not mistaken...)
Best regards
-Tobias
More information about the Squeak-dev
mailing list
|