On 9/2/22 21:42, Shawn Heisey via openssl-users wrote:
Other bare metal systems and their results with the same PEM file:
Verifies on Proxmox (the one running the VM) with openssl 1.1.1n
Verifies on Ubuntu 22.04 with openssl 3.0.2
Fails on CentOS 7.5.1804 with openssl 1.0.2k-fips
Additional tests done with an identical PEM file and the results:
Passed on Ubuntu Server 22.04 VM, openssl 3.0.2, installed on the same
proxmox host as the Alma VM that fails.
Passed on Ubuntu 22.04 desktop bare metal, openssl 3.0.2
Failed on Centos 7 VM running in qemu on that Ubuntu desktop, openssl
1.0.2k-fips
Failed on Fedora35 VM running in qemu on that Ubuntu desktop, openssl 1.1.1q
Passed on Ubuntu Server 22.04 bare metal, using quictls openssl version
3.0.5+quic
Looks like there is something about RPM-based distros that breaks part
of openssl.
One other bit of info. I ran another test on the Alma VM where I
compiled the master branch of https://github.com/openssl/openssl to
/usr/local/ossl3 and used that to try the verify. This is the failure
output:
[root@certs ~]# /usr/local/bin/ossl verify -CAfile
/etc/ssl/certs/local/DOMAIN.wildcards.pem
/etc/ssl/certs/local/DOMAIN.wildcards.pem
C=US, O=Let's Encrypt, CN=R3
error 2 at 1 depth lookup: unable to get issuer certificate
error /etc/ssl/certs/local/DOMAIN.wildcards.pem: verification failed
[root@certs ~]# /usr/local/bin/ossl version
OpenSSL 3.1.0-dev (Library: OpenSSL 3.1.0-dev )
Thoughts?
Thanks,
Shawn