On Sun, Sep 04, 2022 at 08:55:26AM +0100, Roger James via openssl-users wrote:
> As I mentioned in an earlier post you need version 1.1 or later of openssl
> to successfully validate post September 30, 2021 Lets Encrypt certificates.
> The version on your Centos system is 1.0.
This is not quite true when using verify(1), because one has complete
control over the chain presented for verification via a combination
of the:
* -trusted anchors.pem, and
* -untrusted chain.pem
options. The change to "trusted first always" behaviour in OpenSSL 1.1
is relevant to TLS clients validating some Let's Encrypt certificate
chains, where the untrusted chain comes from the server, and the DST
cross certificate may not find an unexpired trust anchor in the trust
store. All that being true, it is not the situation faced by the OP.
FWIW, the EE certificate in question can also be verified with OpenSSL
1.0.2, given the right set of untrusted intermediates and trust
anchor.
--
Viktor.
