On 9/4/22 01:55, Roger James via openssl-users wrote:
As I mentioned in an earlier post you need version 1.1 or later of openssl to successfully validate post September 30, 2021 Lets Encrypt certificates. The version on your Centos system is 1.0.
The CentOS system was just another VM I ran the test on when I was still very confused about what was happening. It's a basic server install on a VM that I power up when I need to try something on that OS without risking problems on production servers.
I will not be using any version of CentOS for this. All my personal systems are Ubuntu, but I am restricted to RHEL clones for work -- primarily CentOS 7 and AlmaLinux 8. The VM that I built for this task is Alma, which has 1.1.1k. We haven't qualified our software setup to work on Alma 9 yet, so I am avoiding it even for a custom deployment like this.
I was finally able to get it to verify on Alma by using -untrusted instead of -CAfile, and including additional certificates to complete the chain. I just tried exactly the same thing on CentOS 7 with openssl 1.0.2k-fips and it verified ... because every certificate needed for the verification is supplied to the command.
Many thanks to Victor for the nudge that got me on the right track to make it work. I have become very spoiled by Ubuntu ... when I work on RHEL clones, it always takes more effort.
Shawn