Re: Strange problem: openssl verify not working on Proxmox VM, works on a bare metal system

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On 3 September 2022 19:26:50 Shawn Heisey via openssl-users <openssl-users@xxxxxxxxxxx> wrote:

On 9/2/22 21:42, Shawn Heisey via openssl-users wrote:
Other bare metal systems and their results with the same PEM file:

Verifies on Proxmox (the one running the VM) with openssl 1.1.1n
Verifies on Ubuntu 22.04 with openssl 3.0.2
Fails on CentOS 7.5.1804 with openssl 1.0.2k-fips

Additional tests done with an identical PEM file and the results:

Passed on Ubuntu Server 22.04 VM, openssl 3.0.2, installed on the same 
proxmox host as the Alma VM that fails.
Passed on Ubuntu 22.04 desktop bare metal, openssl 3.0.2
Failed on Centos 7 VM running in qemu on that Ubuntu desktop, openssl 
1.0.2k-fips
Failed on Fedora35 VM running in qemu on that Ubuntu desktop, openssl 1.1.1q
Passed on Ubuntu Server 22.04 bare metal, using quictls openssl version 
3.0.5+quic

Looks like there is something about RPM-based distros that breaks part 
of openssl.

One other bit of info.  I ran another test on the Alma VM where I 
compiled the master branch of https://github.com/openssl/openssl to 
/usr/local/ossl3 and used that to try the verify. This is the failure 
output:

[root@certs ~]# /usr/local/bin/ossl verify -CAfile 
/etc/ssl/certs/local/DOMAIN.wildcards.pem 
/etc/ssl/certs/local/DOMAIN.wildcards.pem
C=US, O=Let's Encrypt, CN=R3
error 2 at 1 depth lookup: unable to get issuer certificate
error /etc/ssl/certs/local/DOMAIN.wildcards.pem: verification failed
[root@certs ~]# /usr/local/bin/ossl version
OpenSSL 3.1.0-dev  (Library: OpenSSL 3.1.0-dev )


Thoughts?

Thanks,
Shawn
R3 is a lets encrypt intermediate cert. This could be due to the retirement of the ISRG X1 certificate last year. I would check that  /etc/ssl/certs or wherever the default ca store is on your systems, is up to date.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux