Posted in Development

Diagnose SSL certificate issues (with openssl)

Lately I have been confronting issues with various sites’ SSL certificates. Here’s a quick guide to how to work out the issue so that we can resolve the problem at hand.

SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

You might see the above error while connecting to What does that mean? In simple terms, it means that your SSL client has probably failed to verify that the certificate for the domain is ultimately issued by a “root” Certificate Authority certificate. [1]

It might also be possible that the certificate has expired. Currently, there are some fantastic online resources that can check all aspects of a SSL certificate for you. I find these two sites to be very valuable. These would be my first port of call:

Google Chrome also shows a lot of useful information about the certificate if one clicks the padlock icon on the left of the address bar.

There might be times where you want to verify your server is not the issue; remember the list of root CA certificates may differ for various user agents and operating systems. For example Firefox bundles its own list of root CA certificates while Chrome defers to the operating system list of CA certificates.

After the usual wget or curl, I normally turn to openssl. First try connecting using openssl’s s_client:

openssl s_client -CApath /etc/ssl/certs/ -connect

You might see something like :

verify error:num=21:unable to verify the first certificate
verify return:1

The above error usually points to a missing intermediate certificate, e.g. the server is not sending the certificate of the issuer that signed the domain’s certificate. Of course it’s optional to send the issuer certificate if it is a root certificate, given that the root certificate is already present locally.

To inspect a SSL certificate so that we can see useful information like issue date or expiry date use openssl’s x509  utility :

openssl x509 -in certificate.pem -noout -text

The above command will also tell you the issuer of the certificate, e.g :

issuer=/C=US/O=DigiCert Inc/ SHA2 Extended Validation Server CA

You can then search the issuer’s website to determine if the issuer certificate is an intermediary or a root certificate. Most SSL issuer websites have decent help systems geared towards helping server administrators setup the right intermediate certificates.

We can also try to verify the certificate against the local store of root certificates – using openssl’s verify tool :

openssl verify -verbose certificate.pem

To verify against an intermediate certificate, we use this command :

openssl verify -verbose -CAfile intermediate.pem certificate.pem

Hopefully you will see the successful result, which looks something like this !

certificate.pem: OK

May your servers stay secure and fast.

[1] There are no issuers for a root certificate. From my perspective, we basically just trust that the “root” certificates are themselves valid. There are of course vigorous checks and audits before a root certificate is accepted into operating system or a browser.