I have a valid certificate installed on a server and when using the -CApath option with OpenSSL, the certificate chain is valid. However if I don't provide the -CApath option I receive this:
19:self signed certificate in certificate chain
When I try Google's HTTPS port without -CApath, OpenSSL returns:
20:unable to get local issuer certificate
What's the difference between the two?
They're very similar errors. They both indicate that the trust chain didn't end on a trusted certificate. The difference is that the former error occurs when the chain ends on an intermediate certificate and the latter occurs when the chain ends on a root certificate.
20 is the expected error if the root certificate is unknown. The trust chain ends on an intermediate certificate and you can't get the issuer's certificate.
19 will occur if the server, for some reason, sends the self-signed root certificate in the chain. A client won't use a root certificate unless they trust it, and if they trust it, they already have it -- so there's no point in sending it. But no harm either. It just changes the error message.
So I would conclude that on your server, you have the root certificate configured as a chain certificate. So your server is serving that root certificate to clients. This is unnecessary but, so far as I know, harmless.
