Why do I need -CApath for OpenSSL to use my certificates?

Question

I'm running into an issue where I'm getting an error message:

Download error on https://pypi.python.org/simple/: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:598) -- Some packages may not be found!

This is my own custom compilation of OpenSSL. However, my web browser trusts this site just fine.

I've tried going to <openssldir>/certs/ and putting the certificates in there, then running a little BASH script to make symlinks in the format of <hash>.0 for each one. I've read in a few places that this is how it's supposed to work

for f in *.pem
do
  ln -s "$f" `openssl x509 -hash -noout -in "$f"`.0
done

I'm kinda able to get it working... when I run:

openssl s_client -showcerts -connect pypi.python.org:443 -CApath .

I get (truncated)

Start Time: 1399590981
Timeout   : 300 (sec)
Verify return code: 0 (ok)

But, when I run:

openssl s_client -showcerts -connect pypi.python.org:443

I get:

Start Time: 1399591046
Timeout   : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)

Why only when I specify -CApath?

How can I make it use these by default?

Answer 1

With this command, you verify the company the certificate comes from:

openssl s_client -connect pypi.python.org:443

Result:

depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance CA-3
verify error:num=20:unable to get local issuer certificate

You don't have the root certificate for it... then you download DigiCertAssuredIDRootCA.crt from: https://www.digicert.com/digicert-root-certificates.htm

And use it with -CAfile:

openssl s_client -connect pypi.python.org:443 -CAfile DigiCertAssuredIDRootCA.crt 

Now it works!