On 3 September 2022 19:26:50 Shawn Heisey via openssl-users <openssl-users@xxxxxxxxxxx> wrote:
On 9/2/22 21:42, Shawn Heisey via openssl-users wrote:Other bare metal systems and their results with the same PEM file:Verifies on Proxmox (the one running the VM) with openssl 1.1.1nVerifies on Ubuntu 22.04 with openssl 3.0.2Fails on CentOS 7.5.1804 with openssl 1.0.2k-fipsAdditional tests done with an identical PEM file and the results:Passed on Ubuntu Server 22.04 VM, openssl 3.0.2, installed on the sameproxmox host as the Alma VM that fails.Passed on Ubuntu 22.04 desktop bare metal, openssl 3.0.2Failed on Centos 7 VM running in qemu on that Ubuntu desktop, openssl1.0.2k-fipsFailed on Fedora35 VM running in qemu on that Ubuntu desktop, openssl 1.1.1qPassed on Ubuntu Server 22.04 bare metal, using quictls openssl version3.0.5+quicLooks like there is something about RPM-based distros that breaks partof openssl.One other bit of info. I ran another test on the Alma VM where Icompiled the master branch of https://github.com/openssl/openssl to/usr/local/ossl3 and used that to try the verify. This is the failureoutput:[root@certs ~]# /usr/local/bin/ossl verify -CAfile/etc/ssl/certs/local/DOMAIN.wildcards.pem/etc/ssl/certs/local/DOMAIN.wildcards.pemC=US, O=Let's Encrypt, CN=R3error 2 at 1 depth lookup: unable to get issuer certificateerror /etc/ssl/certs/local/DOMAIN.wildcards.pem: verification failed[root@certs ~]# /usr/local/bin/ossl versionOpenSSL 3.1.0-dev (Library: OpenSSL 3.1.0-dev )Thoughts?Thanks,Shawn
R3 is a lets encrypt intermediate cert. This could be due to the retirement of the ISRG X1 certificate last year. I would check that /etc/ssl/certs or wherever the default ca store is on your systems, is up to date.