Centso7 OpenSSL error Verify return code: 20 (unable to get local issuer certificate)

Problem recurrence ： 

        because centos7 default openssl The version is 1.1.0k, When I compile the media service , need openssl edition 1.1.1 above , All previous lower versions deleted openssl, Manually compiled a 1.1.1k Version of , The media service is running normally , also CA Verify normal .

         As a result, the server was powered off and restarted last night , When I was getting Telecom MQ Data time ,openssl Has been an error ,Unhandled exception. System.Security.Authentication.AuthenticationException:The remote certificate was rejected by the provided RemoteCertificateValidat

Use openssl Command to test the connection status ：

openssl s_client -connect msgpush.ctwing.cn:16651

The following results are obtained ：

  Tips , Unable to load local certificate . Various schemes are used , Compile various versions of openssl, Not yet. .

All kinds of helpless , Can only analyze the online environment openssl（ Online is ECS ,openssl by 1.02K） With the local server openssl The difference between , Another few painful hours . Finally checking openssl Version of the command , See the clue , This order is very important ：

openssl version -d

        Results printed online ：

  The result of the local server ：

  Enter online environment openssl The catalog of ： Carry out orders

ll

Show results ：

The key point is this directory , Look at the part marked in red , The soft link here is the location of the certificate

Let's see , Local server

  You can see , I don't see the soft link of the certificate ,

So the reason for everything is here , Didn't tell the system openssl The location of the certificate used . So we can create a soft link .

ln -s /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem cert.pem
 

The results are as follows ：

When we use... Again openssl When the test command of ： succeed ,