Getting Unable to get local issuer certificate

Question

Getting Unable to get local issuer certificate

uniquenepalhumepipe opened this issue 3 years ago · 3 comments

uniquenepalhumepipe commented 3 years ago

I have issued a certificate from Acme4j but I if i try to verify it with openssl verify. It gave me unable to get local issuer certificate error.
I am using the implementation of Acme4j from blynk-server
https://github.com/blynkkk/blynk-server/blob/master/server/acme/src/main/java/cc/blynk/server/acme/AcmeClient.java
https://github.com/blynkkk/blynk-server/blob/master/server/launcher/src/main/java/cc/blynk/server/workers/CertificateRenewalWorker.java

Answer 1 · 2022-02-11T15:40:11.000Z

It's hard to do remote debugging with just this few information. However since you mentioned openssl verify, I guess that your openssl is validating against the DST Root CA X3 certificate, which has actually expired in September 2021, so formally the certificate chain is invalid.

You can download the ISRG Root X1 certificate, and then use this one as root certificate for validation:

openssl verify -CAfile <(cat lets-encrypt-r3.pem isrgrootx1.pem) cert.pem
cert.pem: OK

cert.pem is the certificate chain stored by blynk. lets-encrypt-r3.pem is the intermediate certificate, which is the second certificate in the cert.pem chain, but can also be downloaded from the page linked above.

Answer 2 · 2022-02-11T15:48:00.000Z

Maybe this link is helpful as well: https://community.letsencrypt.org/t/rhel-centos-6-openssl-client-compatibility-after-dst-root-ca-x3-expiration/161032

Answer 3 · 2022-02-12T11:43:22.000Z

Thanks for the help :). OpenSSL was the issue. Thank You