Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Certificate Verification Error: unable to get local issuer certificate
See original GitHub issueSteps to reproduce the problem:
- on CentOS 7, install all dependencies
- install mitmproxy from source code https://github.com/mitmproxy/mitmproxy.git, commit: 8be0d78eaa104996474041bf709ea8aeb7f3637d
- setup proxy server on mobile, install mitmproxy certificate from mitm.it
- open https://baidu.com in browser
What is the expected behavior?
browser works
What went wrong?
browser shows an error message:
502 Bad Gateway. Certificate Verification Error for www.baidu.com: unable to get local issuer certificate (errno: 20, depth: 2)
Here is the log for https://www.baidu.com
111.206.14.134:57025: GET https://www.baidu.com/
<< Certificate Verification Error for www.baidu.com: unable to get local issuer certificate (errno: 20, depth: 2)
https://baidu.com or https://google.com doesn’t work, but some https sites like github.com works. Here is the log for https://github.com
111.206.15.132:52912: CONNECT github.com:443
<< Cannot establish TLS with client (sni: github.com): TlsException("(-1, 'Unexpected EOF')",)
Any other comments? What have you tried so far?
- I tried to update the certificates on centos by
yum install ca-certificates, doesn’t work. - I tried to verify the certificate by openssl on this centos server, it looks good
$ openssl s_client -quiet -connect www.baidu.com:443
depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority
verify return:1
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)10, CN = VeriSign Class 3 Secure Server CA - G3
verify return:1
depth=0 C = CN, ST = Beijing, L = Beijing, O = "BeiJing Baidu Netcom Science Technology Co., Ltd", OU = service operation department, CN = baidu.com
verify return:1
- I tried to deploy same version on my Macbook laptop, it works.
Mitmproxy Version: 0.18, commit: 8be0d78eaa104996474041bf709ea8aeb7f3637d Operating System: CentOS 7
Issue Analytics
- State:
- Created 7 years ago
- Reactions:2
- Comments:23 (4 by maintainers)
Top Results From Across the Web
OpenSSL Verify return code: 20 (unable to get local issuer ...
Explanation: Error unable to get local issuer certificate means, that the openssl does not know your root CA cert.
Read more >SSL Certificate Problem: Unable to get Local Issuer Certificate
The common cause behind “Cause of SSL Certificate Problem: Unable to get Local Issuer Certificate” is an error that causes misconfiguration ...
Read more >Error (20): Unable to Get Local User Certificate
When OpenSSL returns this error, the program was unable to verify the certificate's issuer or the topmost certificate of a provided chain.
Read more >Fix Unable to get Local Issuer Certificate Error - AboutSSL
The main reason for this error to occur is when you are using client SSL and you try to make a request of...
Read more >Unable to get Local Issuer Certificate - How to Fix? - ClickSSL
However, the error unable to get local issuer certificate' occurs when the root certificate is not working properly especially when an SSL ...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
If you don’t care about security, you may run
mitmproxy --insecure(ormitmweb --insecure) to skip verification.The
--insecureoption was deprecated. Use--ssl-insecureinstead.