Check SSL certificates

Posted . Visible to the public.

Installing SSL certificates usually implies additionally using intermediate certificates. If one of them is missing, some SSL client implementations might fail with failures such as

curl

~ curl -v https://host-to-check
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

OpenSSL

~ openssl s_client -connect host-to-check:443
...
verify error:num=20:unable to get local issuer certificate
...
verify error:num=27:certificate not trusted
...
verify error:num=21:unable to verify the first certificate

Firefox

You will see the "This Connection is Untrusted" error with details such as The certificate is not trusted because no issuer chain was provided.

How to fix it

Use https://www.ssllabs.com/ssltest/analyze.html Show archive.org snapshot to perform an in-depth check of your site.

Use tools of the certificate suppliers, many can tell you which intermediate CA is missing exactly:

Thomas Eisenbarth
Last edit
Deleted user #3993
License
Source code in this card is licensed under the MIT License.
Posted by Thomas Eisenbarth to makandra dev (2015-10-20 07:54)