Unable to get local issuer certificate error with CAPath option authentication in Apache HTTPD

Solution Verified - Updated

Environment

  • Red Hat Enterprise Linux (RHEL)
  • Red Hat Software Collections (RHSCL)
  • Red Hat JBoss Enterprise Web Server (EWS)
  • Red Hat JBoss Web Server (JWS)
  • Red Hat JBoss Core Services (JBCS)
  • Apache Web Server (HTTPD)

Issue

The following error is returned when CApath option in a client (or mutual) authentication is used and the CApath contains the correct certificates:

    Error (20): unable to get local issuer certificate

Resolution

The certificates in an OpenSSL CApath certificate store uses need to be named based on the hash of their subject DN.

There are 2 options to generate the correct hashes:

Manually

For each certificate in the CApath first is needed to get the subject dn hash. This can be retrieved by the command:

# openssl x509 -noout -in /path/to/CApath/ca.pem -hash

/path/to/CApath/ is the path to the directory containing the trusted SSL certificates. No default path exists for this directory and is user defined.

A symbolic link named as the hash above needs to be created in the CApath folder:

# ln -s ca.pem /path/to/CApath/<hash>.0

The suffix of the symlink starts at 0 and raised by one on each certificate that has the same hash. Note openssl library will stop when the first number is not found thus if there are <hash>.0 and <hash>.2 while <hash>.1 is missing the <hash>.2 will be ignored.

Via c_rehash tool (available in optional channel)
# yum install openssl-perl
# c_rehash /path/to/CApath

To verify that a CApath is capable to verify a certificate (cert.pem) the following command can be used:

# openssl verify -CApath /path/to/CApath/ cert.pem

To verify that a CApath is capable to verify a remote service the following command can be used:

# openssl s_client -connect <host>:<port> -CApath /path/to/CApath/

Root Cause

When a client (or even HTTPD itself) is compiled against OpenSSL SSL libraries it usually has the ability to specify a CApath option where all trusted CA certificates are stored. Those certificates have to be named based on their subject DN hash in order for OpenSSL to be able to find and use them.

SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.