verify error:num=21

verify error:num=21

am 03.04.2003 21:52:17 von ACONGER

This is a multi-part message in MIME format.

------_=_NextPart_001_01C2FA1A.87DAC3B0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Hi All,
=20
When I submit this command to my Verisign Certificate Secured Site I am =
getting this error.
=20
openssl s_client -connect www.domain.com:443
=20
Its returning these errors:
=20
CONNECTED(00000004)
depth=3D0 /C=3DUS/ST=3Dmichigan/L=3Dsome city/O=3DCompany A =
LLC/OU=3DTerms of use at www.verisign.com/rpa (c)00/CN=3Dwww.domain.com
verify error:num=3D20:unable to get local issuer certificate
verify return:1
depth=3D0 /C=3DUS/ST=3Dmichigan/L=3Dsome city/O=3DCompany A =
LLC/OU=3DTerms of use at www.verisign.com/rpa (c)00/CN=3Dwww.domain.com
verify error:num=3D27:certificate not trusted
verify return:1
depth=3D0 /C=3DUS/ST=3Dmichigan/L=3Dsome city/O=3DCompany A =
LLC/OU=3DTerms of use at www.verisign.com/rpa (c)00/CN=3Dwww.domain.com
verify error:num=3D21:unable to verify the first certificate
verify return:1
etc....
=20
Can anyone identify the reason as to why this is happening? =20
=20
The command I used to create the domain.key file:
/usr/local/ssl/bin/openssl genrsa -des3 -rand =
/var/apache/logs/access_log:/var/log/syslog.5 -out domain.key 1024
=20
I then used this to generate the csr:
/usr/local/ssl/bin/openssl req -new -key doamin.key -out domain.csr
=20
Any help or suggestions would be greatly appreciated! =20
=20
Please see my earlier post "netscape warning message" for additional =
information.
http://marc.theaimsgroup.com/?l=3Dapache-modssl =
2> &m=3D104929700518122&w=3D2
=20
Thanks,
=20
Austin

------_=_NextPart_001_01C2FA1A.87DAC3B0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable



charset=3Diso-8859-1">




Hi=20
All,

size=3D2> 

When I =
submit this=20
command to my Verisign Certificate Secured Site I am getting this=20
error.

size=3D2> 

size=3D2>openssl s_client=20
-connect href=3D"http://www.domain.com:443">www.domain.com:443 DIV>
size=3D2> 

Its =
returning these=20
errors:

size=3D2> 

size=3D2>CONNECTED(00000004)
depth=3D0 /C=3DUS/ST=3Dmichigan/L=3Dsome =

city/O=3DCompany A LLC/OU=3DTerms of use at href=3D"http://www.verisign.com/rpa">www.verisign.com/rpa=20
(c)00/CN=3Dwww.domain.com
verify error:num=3D20:unable to get local =
issuer=20
certificate
verify return:1
depth=3D0 =
/C=3DUS/ST=3Dmichigan/L=3Dsome=20
city/O=3DCompany A LLC/OU=3DTerms of use at href=3D"http://www.verisign.com/rpa">www.verisign.com/rpa=20
(c)00/CN=3Dwww.domain.com
verify error:num=3D27:certificate not =
trusted
verify=20
return:1
depth=3D0 /C=3DUS/ST=3Dmichigan/L=3Dsome=20
city/O=3DCompany A LLC/OU=3DTerms of use at href=3D"http://www.verisign.com/rpa">www.verisign.com/rpa=20
(c)00/CN=3Dwww.domain.com
verify error:num=3D21:unable to verify the =
first=20
certificate
verify return:1

size=3D2>etc....

size=3D2> 

Can =
anyone identify=20
the reason as to face=3DArial=20
size=3D2>why this is happening? 

size=3D2> 

The =
command I used=20
to create the domain.key file:

size=3D2>/usr/local/ssl/bin/openssl genrsa -des3 -rand=20
/var/apache/logs/access_log:/var/log/syslog.5 -out domain.key=20
1024

size=3D2> 

I then =
used this to=20
generate the csr:

size=3D2>/usr/local/ssl/bin/openssl req -new -key doamin.key -out=20
domain.csr

size=3D2> 

Any =
help or=20
suggestions would be greatly appreciated! 

size=3D2> 

Please =
see my=20
earlier post "netscape warning message" for additional=20
information.

href=3D"http://marc.theaimsgroup.com/?l=3Dapache-modssl& m=3D104929700=
518122&w=3D2">http://marc.theaimsgroup.com/?l=3Dapache-m odssl&m=3D=
104929700518122&w=3D2

size=3D2> 

size=3D2>Thanks,

size=3D2> 

size=3D2>Austin


------_=_NextPart_001_01C2FA1A.87DAC3B0--
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: verify error:num=21

am 03.04.2003 22:06:27 von Mads Toftum

On Thu, Apr 03, 2003 at 02:52:17PM -0500, Austin Conger (IT) wrote:
> Hi All,
>
> When I submit this command to my Verisign Certificate Secured Site I am getting this error.
>
> openssl s_client -connect www.domain.com:443
>
> Its returning these errors:
>
> CONNECTED(00000004)
> depth=0 /C=US/ST=michigan/L=some city/O=Company A LLC/OU=Terms of use at www.verisign.com/rpa (c)00/CN=www.domain.com
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 /C=US/ST=michigan/L=some city/O=Company A LLC/OU=Terms of use at www.verisign.com/rpa (c)00/CN=www.domain.com
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0 /C=US/ST=michigan/L=some city/O=Company A LLC/OU=Terms of use at www.verisign.com/rpa (c)00/CN=www.domain.com
> verify error:num=21:unable to verify the first certificate
> verify return:1
> etc....
>
> Can anyone identify the reason as to why this is happening?
>
Very simple really - openssl is telling you that it can't verify the
certificate because it does not know the CA that it was issued by.
Nothing strange or unexpected in that. Use one of the following to
enable verification:

-CApath arg - PEM format directory of CA's
-CAfile arg - PEM format file of CA's

By default openssl knows no CA's, so you need to get the CA cert
of the signer and use that.

vh

Mads Toftum
--
`Darn it, who spiked my coffee with water?!' - lwall

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: verify error:num=21

am 04.04.2003 21:23:19 von ACONGER

thanks, thats what it was!



-----Original Message-----
From: Mads Toftum [mailto:mads@toftum.dk]
Sent: Thursday, April 03, 2003 3:06 PM
To: modssl-users@modssl.org
Subject: Re: verify error:num=3D21


On Thu, Apr 03, 2003 at 02:52:17PM -0500, Austin Conger (IT) wrote:
> Hi All,
> =20
> When I submit this command to my Verisign Certificate Secured Site I =
am getting this error.
> =20
> openssl s_client -connect www.domain.com:443
> =20
> Its returning these errors:
> =20
> CONNECTED(00000004)
> depth=3D0 /C=3DUS/ST=3Dmichigan/L=3Dsome city/O=3DCompany A =
LLC/OU=3DTerms of use at www.verisign.com/rpa (c)00/CN=3Dwww.domain.com
> verify error:num=3D20:unable to get local issuer certificate
> verify return:1
> depth=3D0 /C=3DUS/ST=3Dmichigan/L=3Dsome city/O=3DCompany A =
LLC/OU=3DTerms of use at www.verisign.com/rpa (c)00/CN=3Dwww.domain.com
> verify error:num=3D27:certificate not trusted
> verify return:1
> depth=3D0 /C=3DUS/ST=3Dmichigan/L=3Dsome city/O=3DCompany A =
LLC/OU=3DTerms of use at www.verisign.com/rpa (c)00/CN=3Dwww.domain.com
> verify error:num=3D21:unable to verify the first certificate
> verify return:1
> etc....
> =20
> Can anyone identify the reason as to why this is happening? =20
> =20
Very simple really - openssl is telling you that it can't verify the
certificate because it does not know the CA that it was issued by.
Nothing strange or unexpected in that. Use one of the following to
enable verification:

-CApath arg - PEM format directory of CA's
-CAfile arg - PEM format file of CA's
=20
By default openssl knows no CA's, so you need to get the CA cert
of the signer and use that.

vh

Mads Toftum
--=20
`Darn it, who spiked my coffee with water?!' - lwall

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org