23Eki
Why do none of the Global Sign CAs verify this cert that’s signed by Global Sign?
My java program fails to download https://repo1.maven.org/maven2/org/apache/iceberg/iceberg-spark-extensions-3.5_2.12/1.5.2/iceberg-spark-extensions-3.5_2.12-1.5.2.pom
So I ran some commands to figure out why. My first steps is to find which CA cert I need to verify the certs. To do that, I first got the full cert chain from the url I was trying to download from:
openssl s_client -connect repo1.maven.org:443 -showcerts </dev/null 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > fullchain.pem
I got all the TLS and general-purpose Global Sign CA certs from the official website. Then, one by one, I ran openssl to verify them one by one.
➜ certs openssl verify -CAfile root-R1.crt fullchain.pem
CN=repo1.maven.org
error 20 at 0 depth lookup: unable to get local issuer certificate
error fullchain.pem: verification failed
➜ certs openssl verify -CAfile root-R3.crt fullchain.pem
CN=repo1.maven.org
error 20 at 0 depth lookup: unable to get local issuer certificate
error fullchain.pem: verification failed
➜ certs openssl verify -CAfile root-R5.crt fullchain.pem
CN=repo1.maven.org
error 20 at 0 depth lookup: unable to get local issuer certificate
error fullchain.pem: verification failed
➜ certs openssl verify -CAfile root-r6.crt fullchain.pem
CN=repo1.maven.org
error 20 at 0 depth lookup: unable to get local issuer certificate
error fullchain.pem: verification failed
Now I'm stumped. How do I find the CA that can verify this cert?