When you encounter the verify error:num=20, you can use the openssl command to display the certificate chain. The output shows a chain that ends with an issuer for which there is no certificate, for example:
depth=1 /O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)2020 VeriSign verify error:num=20:unable to get local issuer certificate verify return:0 CONNECTED(00000003) --- Certificate chain 0 s:/C=US/ST=California/L=Elkwood/O=example/OU=Domain Controllers/CN=acct934.td.example.com i:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)2020 VeriSign -----BEGIN CERTIFICATE----- …snipped… -----END CERTIFICATE----- 1 s:/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)2020 VeriSig i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority-----BEGIN CERTIFICATE----- …snipped… -----END CERTIFICATE------ Server certificate subject=/C=US/ST=California/L=Elkwood/O=example/OU=Domain Controllers/CN=acct934.td.example.com issuer=/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)2020 VeriSign --- Acceptable client certificate CA names /C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority - G2/OU =(c)1998 VeriSign,Inc.-For authorized use only/OU=VeriSign Trust Network /C=US/O=VeriSign, Inc./OU=Class 4 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority /C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority /C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network /OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft Root Authority/DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority--- SSL handshake has read 5299 bytes and written 312 bytes --- New, TLSv1/SSLv3, Cipher is RC4-MD5 Server public key is 1024 bit Compression: NONE Expansion: NONE
The error occurs at a depth of 1, that is, one certificate down the certificate chain, OpenSSL cannot verify the certificate. This error indicates that OpenSSL could not find the issuer certificate or an acceptable client certificate.