When a client needs to connect to a server with https, the client needs to trust the server it is talking to. So the client needs to included the server CAs (certificate authorities list) to its trusted CAs.
This error means the client CA list is missing a certificate authority in its CA list.
To display the client CA list, use the following command:
openssl x509 -in ClientCAList.pem -noout -text
Solution:
- Add the missing CA list to the client CA list.
openssl x509 -in MyCompanyCA.crt -text >> ClientCAList.pem
Theory:
Usually certificates work in pairs: a public key and a private key.
Figure 1. Certificates working in pairs: a public key and a private key
This means that the client has a certificate that can be signed by an authority signed itself by a root authority. Likewise, the server has a certificate that can be signed by an authority signed itself by a root authority. In some instances, a certificate can be signed by itself.
Things to remember:
- The server certificate should have its hostname as CN (Common Name). For example: if you want to access the server https://www.mycompany.com the CN should be www.mycompany.com.
- In client CA list you should have all the CA of the server. In this example you need the server CA (5) and the server CA Root (4). If the server is self-signed then add the server certificate (6) to the client CA list.
- Sometimes, the needed CAs are not listed in the certificates hierarchy. Setting environment variable FGLWSDEBUG=3, will give you information about the missing CA.