Summary
Why am I getting unable to get local issuer certificate when I try to connect to gitlab.colo.networkedinsights.com:443?
Fix
$ wget -O /etc/httpd/ssl/gd_bundle-g2-g1.crt https://certs.godaddy.com/repository/gd_bundle-g2-g1.crt
/etc/httpd/conf.d/ssl.conf:
<VirtualHost ...>
SSLCertificateFile /etc/httpd/ssl/... .crt
SSLCertificateKeyFile /etc/httpd/ssl/... .key
SSLCertificateChainFile /etc/httpd/ssl/gd_bundle-g2-g1.crt
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLVerifyClient optional
SSLVerifyDepth 10
</Files>
</VirtualHost>
Examples
$ openssl s_client -connect gitlab.colo.networkedinsights.com:443 < /dev/null 2>/dev/null | grep 'Verify return code'
Verify return code: 0 (ok)
$ gitlab users | head
+---------------------------------------------------------------------------------------------------------------------+------------------------------------------+------------------+--------------------+-----------------+--------------------------+-------------------------------------------+----------------------------------------------------------------------------------+----+----------+----------+---------------------+----------------+----------+------------------+--------+----------+---------------+------------+-------------+
| Gitlab.users |
+---------------------------------------------------------------------------------------------------------------------+------------------------------------------+------------------+--------------------+-----------------+--------------------------+-------------------------------------------+----------------------------------------------------------------------------------+----+----------+----------+---------------------+----------------+----------+------------------+--------+----------+---------------+------------+-------------+
| avatar_url | bio | can_create_group | can_create_project | color_scheme_id | created_at | email | extern_uid | id | is_admin | linkedin | name | projects_limit | provider | skype | state | theme_id | twitter | username | website_url |
+---------------------------------------------------------------------------------------------------------------------+------------------------------------------+------------------+--------------------+-----------------+--------------------------+-------------------------------------------+----------------------------------------------------------------------------------+----+----------+----------+---------------------+----------------+----------+------------------+--------+----------+---------------+------------+-------------+
...
Client trace
client$ openssl s_client -connect gitlab.colo.networkedinsights.com:443 < /dev/null | head
depth=0 OU = Domain Control Validated, CN = *.colo.networkedinsights.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, CN = *.colo.networkedinsights.com
verify error:num=21:unable to verify the first certificate
verify return:1
DONE
CONNECTED(00000003)
---
Certificate chain
0 s:/OU=Domain Control Validated/CN=*.colo.networkedinsights.com
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
Server trace
server$ openssl s_client -connect gitlab.colo.networkedinsights.com:443 < /dev/null | head
depth=3 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Autho\
rity
verify return:1
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root\
Certificate Authority - G2
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.\
godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
verify return:1
depth=0 OU = Domain Control Validated, CN = *.colo.networkedinsights.com
verify return:1
DONE
CONNECTED(00000004)
---
Certificate chain
0 s:/OU=Domain Control Validated/CN=*.colo.networkedinsights.com
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/reposi\
tory//CN=Go Daddy Secure Certificate Authority - G2
1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com\
/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
Configuration
/etc/httpd/conf.d/ssl.conf:
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA\
256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !\
LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
SSLCertificateFile /etc/httpd/ssl/colo.networkedinsights.com.crt
SSLCertificateKeyFile /etc/httpd/ssl/colo.networkedinsights.com.key
SSLCertificateChainFile /etc/httpd/ssl/gd_intermediate.crt
SSLCACertificateFile /etc/httpd/ssl/gd-class2-root.crt
ServerName gitlab.colo.networkedinsights.com
Server stack
$ rpm -q openssl
openssl-1.0.1e-16.el6_5.14.x86_64
$ rpm -q httpd
httpd-2.2.15-15.el6.centos.1.x86_64
$ cat /etc/centos-release
CentOS release 6.3 (Final)
Client stack
$ specs openssl brew os
Specs:
specs 0.13
https://github.com/mcandre/specs#readme
openssl version
OpenSSL 1.0.2 22 Jan 2015
brew --version
0.9.5
system_profiler SPSoftwareDataType | grep 'System Version'
System Version: OS X 10.10.2 (14C109)
$ rvm osx-ssl-certs update all
Updating certificates for /usr/local/etc/openssl/cert.pem: Already up to date.