In-depth Analysis of OpenSSL SSL Certificate Verification Failure: Unable to Verify the First Certificate

Nov 22, 2025 · Programming · 11 views · 7.8

Keywords: OpenSSL | SSL certificate verification | Intermediate certificate missing

Abstract: This article provides a comprehensive analysis of the 'unable to verify the first certificate' error encountered during SSL certificate verification using OpenSSL client. Through detailed examination of the Experian URL case study, it reveals the mechanism of verification failure caused by missing intermediate certificates and explains the critical importance of certificate chain completeness for SSL handshake. The article presents both server-side and client-side solutions while systematically elaborating certificate verification principles and troubleshooting methodologies.

Problem Background and Phenomenon Description

When verifying SSL connection to Experian using OpenSSL client in Ubuntu 10.10 system, executing the command openssl s_client -CApath /etc/ssl/certs/ -connect dm1.experian.com:443 results in abnormal connection closure with verification error code 21 (unable to verify the first certificate). Although the system certificate list includes the certificate authority that signed the Experian certificate (VeriSign Class 3 Secure Server CA - G3), the verification still fails.

In-depth Analysis of Error Root Cause

Through detailed analysis of OpenSSL output, a more specific error message is identified: verify error:num=20:unable to get local issuer certificate. This error indicates that OpenSSL cannot locate the intermediate certificate authority that issued the server certificate.

The core issue lies in the incompleteness of the certificate chain. While the system certificate store contains a certificate named "VeriSign Class 3 Secure Server CA - G3", this is actually a similarly named but functionally different root certificate. The required intermediate certificate is not included in the system's default certificate bundle.

Certificate Chain Transmission Mechanism Comparison

By comparing SSL handshake processes of different servers, key differences emerge: properly configured servers send the complete certificate chain during SSL handshake, including end-entity certificate, intermediate certificates, and root certificate. Problematic servers only send the end-entity certificate, preventing OpenSSL from building a complete verification path.

The OpenSSL client is designed without support for automatic download of missing intermediate certificates, contrasting sharply with modern browsers like FireFox. Browsers can automatically retrieve and verify missing intermediate certificates by parsing the Authority Information Access extension field in certificates.

Solutions and Implementation Steps

Server-side Solution: The most fundamental approach is to correct server configuration to ensure complete certificate chain transmission during SSL handshake. This requires server administrators to reconfigure SSL certificate binding to include all necessary intermediate certificates.

Client-side Solution: When server configuration modification is not possible, the verification issue can be resolved by providing missing intermediate certificates to OpenSSL. Implementation steps include:

  1. Obtain correct intermediate certificate file
  2. Use -CAfile parameter to specify certificate file path
  3. Re-execute verification command: openssl s_client -CAfile /path/to/intermediate.crt -connect dm1.experian.com:443

Related Case Validation and Extension

The similar issue encountered in SonarAnalysis tasks described in reference articles further confirms the importance of certificate chain completeness. Even with root certificates properly imported into JVM, missing intermediate certificates still cause "Unable to verify the first certificate" errors.

The temporary solution NODE_TLS_REJECT_UNAUTHORIZED=0 mentioned in cases can bypass certificate verification but severely compromises system security and is not recommended for production environments.

Technical Principles Deep Dive

SSL/TLS certificate verification relies on building complete trust chains. The verification process starts from the end-entity certificate and proceeds upward level by level until reaching a trusted root certificate. Missing any level of certificate will cause verification failure.

Intermediate certificates play a crucial role in the PKI system. They are issued by root certificate authorities and used to issue end-entity certificates. This hierarchical structure ensures security while providing operational flexibility.

Best Practice Recommendations

To ensure reliability of SSL certificate verification, recommendations include: regularly updating system certificate bundles to ensure chain completeness; always including complete certificate chains in server configurations; implementing appropriate certificate verification error handling mechanisms in client applications.

Copyright Notice: All rights in this article are reserved by the operators of DevGex. Reasonable sharing and citation are welcome; any reproduction, excerpting, or re-publication without prior permission is prohibited.