On Fri, Sep 02, 2022 at 09:42:13PM -0600, Shawn Heisey via openssl-users wrote:
> On an AlmaLinux 8.6 VM hosted in Proxmox:
>
> [root@certs ~]# openssl verify -CAfile /etc/ssl/certs/local/DOMAIN.wildcards.pem /etc/ssl/certs/local/DOMAIN.wildcards.pem
> C = US, O = Let's Encrypt, CN = R3
> error 2 at 1 depth lookup: unable to get issuer certificate
> error /etc/ssl/certs/local/DOMAIN.wildcards.pem: verification failed
Post the output of:
$ openssl crl2pkcs7 -nocrl -certfile /etc/ssl/certs/local/DOMAIN.wildcards.pem |
openssl pkcs7 -print_certs -noout |
perl -ne 'BEGIN{$/="\n\n\n"} s/\n+/\n/g; print $_, "\n"'
> If I copy the PEM file to a bare metal system running Ubuntu Server
> 20.04, it verifies:
Note that OpenSSL verify also looks in the default CApath, and this may
vary from system to system. The results may depend on what's installed
there.
The verify(1) command will attempt to construct a chain to a trusted
root using the specified or default CAfile and CApath. You should
really be using the "-untrusted" option not the "-CAfile" option:
# cert=/etc/ssl/certs/local/DOMAIN.wildcards.pem
# openssl verify -untrusted "$cert" "$cert"
This adds the untrusted intermediate certs from the cert file to
the dataset, without shadowing the default CAfile.
--
Viktor.
