Re: Strange problem: openssl verify not working on Proxmox VM, works on a bare metal system

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Fri, Sep 02, 2022 at 09:42:13PM -0600, Shawn Heisey via openssl-users wrote:

> On an AlmaLinux 8.6 VM hosted in Proxmox:
> [root@certs ~]# openssl verify -CAfile /etc/ssl/certs/local/DOMAIN.wildcards.pem /etc/ssl/certs/local/DOMAIN.wildcards.pem
> C = US, O = Let's Encrypt, CN = R3
> error 2 at 1 depth lookup: unable to get issuer certificate
> error /etc/ssl/certs/local/DOMAIN.wildcards.pem: verification failed

Post the output of:

    $ openssl crl2pkcs7 -nocrl -certfile /etc/ssl/certs/local/DOMAIN.wildcards.pem |
        openssl pkcs7 -print_certs -noout |
        perl -ne 'BEGIN{$/="\n\n\n"} s/\n+/\n/g; print $_, "\n"'

> If I copy the PEM file to a bare metal system running Ubuntu Server 
> 20.04, it verifies:

Note that OpenSSL verify also looks in the default CApath, and this may
vary from system to system.  The results may depend on what's installed

The verify(1) command will attempt to construct a chain to a trusted
root using the specified or default CAfile and CApath.  You should
really be using the "-untrusted" option not the "-CAfile" option:

    # cert=/etc/ssl/certs/local/DOMAIN.wildcards.pem
    # openssl verify -untrusted "$cert" "$cert"

This adds the untrusted intermediate certs from the cert file to
the dataset, without shadowing the default CAfile.


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux