List, good afternoon,
I'd appreciate some advice about how to fix an SSL error I'm hitting
while accessing a government website required for online filing.
Oddly, this error has just occurred, but we've been using the service
without difficulty for a few years.
The SSL failure is reported by the application as an
"SSL Certificate Verification Error"; no other information.
Using openssl -showcerts, a "verify error" is reported. Here's the
dialogue - I've skipped the bulk of the certificate texts.
ron@debians5:~$ openssl s_client -showcerts -connect
secure.gateway.gov.uk:443 </dev/null
CONNECTED(00000003)
depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of
use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure
Server CA - G3
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=GB/ST=London/L=London/O=Department for Work and
Pensions/OU=Transformational Government/CN=secure.gateway.gov.uk
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use
at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure
Server CA - G3
-----BEGIN CERTIFICATE-----
MIIFTTCCBDWgAwIBAgIQVvXmnZpU7GpmDQbP2RA+DDANBgkqhkiG9w0BAQUFADCB
tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
[...]
T5A4onjwNgpfTwlfM0BaqhMjii2rrUrWdz++8gPO1SnJNFM5kKwzq8jjj6ezFfZQ
iV/THI2bNvQl6In1tHt8rO8=
-----END CERTIFICATE-----
1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use
at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure
Server CA - G3
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public
Primary Certification Authority - G5
-----BEGIN CERTIFICATE-----
MIIF7DCCBNSgAwIBAgIQbsx6pacDIAm4zrz06VLUkTANBgkqhkiG9w0BAQUFADCB
yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
[...]
W+yzf5VK+wPIrSbb5mZ4EkrZn0L74ZjmQoObj49nJOhhGbXdzbULJgWOw27EyHW4
Rs/iGAZeqa6ogZpHFt4MKGwlJ7net4RYxh84HqTEy2Y=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=GB/ST=London/L=London/O=Department for Work and
Pensions/OU=Transformational Government/CN=secure.gateway.gov.uk
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of
use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure
Server CA - G3
---
No client certificate CA names sent
---
SSL handshake has read 3043 bytes and written 447 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 89[...]F6
Session-ID-ctx:
Master-Key: 5A[...]93
Key-Arg : None
Start Time: 1462378147
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
DONE
ron@debians5:~$
I've updated the machine (using synaptic) with the latest
ca_certificates, but the error remains (this is the current output,
after certificate updates).
The system was working fine last month, but seems to fail today. I'm
not familiar with the 'behind the scenes' workings of openssl and the
certificate chains, and would appreciate any insight into what might
be going wrong.
regards, Ron
