openssl verify throwing unexpected error 24.

zaxonus · 01-04-2021, 11:09 PM

I am trying to follow a solution in this post to understand some problem that I have with openssl. But though it mostly works, I have an error at the end.

Note that the errors on the first two commands (at the end) are expected, only the last one is a problem. According to the post the last command should work.

If someone could tell me what is wrong, that would be very helpful.
Following is the sequence of relevant commands. The "ls" are only here to follow what is happening.

Code:

...$ openssl req -newkey rsa:4096 -nodes -keyout ca-key.pem -sha384 -x509 -days 365 -out ca-crt.pem -subj /C=XX/ST=YY/O=RootCA
Generating a RSA private key
.........................................++++
.........................................................................................................++++
writing new private key to 'ca-key.pem'
-----
...$ ls
ca-crt.pem  ca-key.pem
...$ openssl req -newkey rsa:3072 -nodes -keyout int-key.pem -new -sha384 -out int-csr.pem -subj /C=XX/ST=YY/O=IntermediateCA
Generating a RSA private key
........................++++
.......++++
writing new private key to 'int-key.pem'
-----
...$ ls
ca-crt.pem  ca-key.pem  int-csr.pem  int-key.pem
...$ openssl x509 -req -days 360 -in int-csr.pem -CA ca-crt.pem -CAkey ca-key.pem -CAcreateserial -out int-crt.pem
Signature ok
subject=C = XX, ST = YY, O = IntermediateCA
Getting CA Private Key
...$ ls
ca-crt.pem  ca-crt.srl  ca-key.pem  int-crt.pem  int-csr.pem  int-key.pem
...$ 
...$ openssl req -newkey rsa:2048 -nodes -keyout usr-key.pem -new -sha256 -out usr-csr.pem -subj /C=XX/ST=YY/O=LockCmpXchg8b
Generating a RSA private key
................+++++
................................................................................+++++
writing new private key to 'usr-key.pem'
-----
...$ ls
ca-crt.pem  ca-crt.srl  ca-key.pem  int-crt.pem  int-csr.pem  int-key.pem  usr-csr.pem  usr-key.pem
...$ openssl x509 -req -days 360 -in usr-csr.pem -CA int-crt.pem -CAkey int-key.pem -CAcreateserial -out usr-crt.pem
Signature ok
subject=C = XX, ST = YY, O = LockCmpXchg8b
Getting CA Private Key
...$ ls
ca-crt.pem  ca-crt.srl  ca-key.pem  int-crt.pem  int-crt.srl  int-csr.pem  int-key.pem  usr-crt.pem  usr-csr.pem  usr-key.pem
...$ 
...$ cat ca-crt.pem int-crt.pem > chain.pem
...$ ls
ca-crt.pem  ca-crt.srl  ca-key.pem  chain.pem  int-crt.pem  int-crt.srl  int-csr.pem  int-key.pem  usr-crt.pem  usr-csr.pem  usr-key.pem
...$ 
...$ openssl verify -CAfile ca-crt.pem usr-crt.pem
C = XX, ST = YY, O = LockCmpXchg8b
error 20 at 0 depth lookup: unable to get local issuer certificate
error usr-crt.pem: verification failed
...$ openssl verify -CAfile int-crt.pem usr-crt.pem
C = XX, ST = YY, O = IntermediateCA
error 2 at 1 depth lookup: unable to get issuer certificate
error usr-crt.pem: verification failed
...$ openssl verify -CAfile chain.pem usr-crt.pem
C = XX, ST = YY, O = IntermediateCA
error 24 at 1 depth lookup: invalid CA certificate
error usr-crt.pem: verification failed
...$

business_kid · 01-05-2021, 04:30 AM

I don't think that post is a good place to start debugging your errors. It sounds like your keys are in a mess, and I would google the error and do any housekeeping along the way (e.g move temporarily non-kosher keys) that seems appropriate.

zaxonus · 01-05-2021, 04:54 AM

OK. Which key is in a mess?

You can see with the commands how the keys are made.

I just followed some instructions which I expected to work.

Are the instructions wrong?
Or did I do something wrong on the way?

I already searched the net and did not find much of a solution.

business_kid · 01-05-2021, 02:40 PM

I don't know either. I saw these errors

Code:

error 20 at 0 depth lookup: unable to get local issuer certificate
error usr-crt.pem: verification failed

and reckoned you had issues. Openssl is fairly good at sorting keys, once you give it half a chance. I would move those keys aside, follow a "Setting up …" type howto with an empty directory and see where you get. Your distro should have instructions. You can always move back the originals.

JockVSJock · 07-23-2021, 07:08 AM

This is the exact same issue I'm seeing with keys being provided to me by another company.

I'm not familiar with openssl, other then openssl man pages, is there anything else to read up on, on how to troubleshoot? OP were you able to make any headway on this?

maw_walker · 07-23-2021, 08:12 AM

"Unable to get issuer certificate" means openssl can't find all the pieces of the cert chain. Forgive my lack of detail but it's been several. years since I have done cert work with openssl. It looks like you are trying to create a p7b (cert and entire chain in a single file), is that correct?

JockVSJock · 07-24-2021, 08:13 AM

Quote:

Originally Posted by maw_walker

"Unable to get issuer certificate" means openssl can't find all the pieces of the cert chain. Forgive my lack of detail but it's been several. years since I have done cert work with openssl. It looks like you are trying to create a p7b (cert and entire chain in a single file), is that correct?

I'm not creating the digital cert. It coming from another company we are working with so we can access their server over a secure connection (either L2TP or PPTP. This other company want us to import the cert into Mozilla Firefox.

At first the cert wouldn't load into Firefox on a RHEL8 workstation (can't remember the exact error message as I'm at home typing this, not at work). I told the tech rep at the other company and he tried to pass it off that Firefox has been locked down. I don't think that is true as I can type

Code:

about:config

in the search bar and look at all of the various browser setting and change them, if I like. It the browser was truly locked down, I don't think I would be able to do that under RHEL8. Not even sure if that is an option under RHEL8. Windows with IE for sure with Group Policy.

That's when I started to investigate the certs more with openssl commands and found this same thread.