opensslvalidation给了我一个20错误代码,而s_client给我1返回码,并正确地获得根证书。
任何人都可以指出我如何validation下载的证书?
ychaouche@ychaouche-PC 10:30:22 ~/TMP/CERTS $ openssl s_client -CApath /etc/ssl/certs/ -connect domain.tld:993 CONNECTED(00000003) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = domain.tld verify return:1 --- Certificate chain 0 s:/CN=domain.tld i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 i:/O=Digital Signature Trust Co./CN=DST Root CA X3 并validation
ychaouche@ychaouche-PC 10:30:30 ~/TMP/CERTS $ openssl verify -CApath /etc/ssl/certs/ domaintld.crt domaintld.crt: CN = domain.tld error 20 at 0 depth lookup:unable to get local issuer certificate ychaouche@ychaouche-PC 10:31:21 ~/TMP/CERTS $
编辑 :find答:因此: https ://stackoverflow.com/questions/28072021/discrepancy-between-openssl-verify-and-s-client-command
我不知道什么是最好的:简单地删除这个问题或closures并添加一个重复的链接到SO? (其他人在SF上search)。
这已经在SO上得到了答复。 从https://stackoverflow.com/questions/28072021/discrepancy-between-openssl-verify-and-s-client-command
openssl verify不期望证书包含其链。 链需要通过 –-untrustedparameter passing。 您可以在那里传递相同的文件,信任仍然通过在-CAfile/-CApath查找受信任的根来确定。openssl verify -CApath /etc/ssl/certs -untrusted google_chain.pem google_chain.pem