salmo6
April 10, 2025, 6:10pm
1
I'm using acme.sh version 3.0.8 to install and renew my Let's Encrypt certificates. This process works great and has for several years. But now I'm trying to set up a Foreman server and running into a problem with using my Let's Encrypt cert with Foreman. In particular, the foreman-installer process fails with
Could not evaluate: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)
To show that this is not specifically Foreman-related, a more general openssl command gives the same error:
# openssl verify -CAfile /etc/letsencrypt/chief.middlebury.edu/ca.cer /etc/letsencrypt/chief.middlebury.edu/chief.middlebury.edu.cer
C = US, O = Let's Encrypt, CN = E6
error 2 at 1 depth lookup: unable to get issuer certificate
error /etc/letsencrypt/chief.middlebury.edu/chief.middlebury.edu.cer: verification failed
I understand Unable to get local issuer certificate to mean that the CA certificate does not validate the server certificate, but this is the CA cert that was installed when I created the server certificate originally with acme.sh. Here's the output from the certificate creation process, which completed successfully:
Your cert is in: /etc/letsencrypt/chief.middlebury.edu_ecc/chief.middlebury.edu.cer
Your cert key is in: /etc/letsencrypt/chief.middlebury.edu_ecc/chief.middlebury.edu.key
The intermediate CA cert is in: /etc/letsencrypt/chief.middlebury.edu_ecc/ca.cer
And the full chain certs is there: /etc/letsencrypt/chief.middlebury.edu_ecc/fullchain.cer
Why does ca.cer not validate the server certificate?
Again, the cert is installed successfully and browsers recognize it -- it's just that the CA cert does not verify its validity, as if something is missing in the intermediate chain somewhere.
This server is not publicly accessible, but as a test we briefly opened it up to public access and that had no effect.
Hi @salmo6 and welcome.
To me it looks like the public facing Internet cannot access the domain name on Ports 80 and 443.
$ nmap -Pn -p80,443 chief.middlebury.edu
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-10 18:15 UTC
Nmap scan report for chief.middlebury.edu (140.233.37.199)
Host is up.
PORT STATE SERVICE
80/tcp filtered http
443/tcp filtered https
Nmap done: 1 IP address (1 host up) scanned in 3.30 seconds
And with Let's Debug gets the same basic answer https://letsdebug.net/chief.middlebury.edu/2416312
1 Like
salmo6
April 10, 2025, 6:31pm
3
Yes, the server is not publicly accessible. As a test we temporarily opened up ports 80 and 443 through the edge firewalls, but that had no effect. We got the same error.
I believe that is the issue.
Are you serving the fill chain certs? From here.
Also here is the most recently issued certificate crt.sh | 17763338936 Chains of Trust - Let's Encrypt
Please verify that
salmo6:
chief.middlebury.edu.cer
and
salmo6:
ca.cer
match appropriately.
1 Like
Because ca.cer is not a CA Root certificate. It is an Intermediate. Perhaps poor filename choice on acme.sh's part but that's what it is.
openssl verify is tricky to use correctly. See: How to verify LE cert using openssl? - #2 by _az
But, based on the error message it sounds like an outbound connection from your Foreman server install is failing. Usually your system has a set of trusted CA Roots already installed. Sounds like your Foreman does not. Or, less likely, is in a location not available to acme.sh (which uses curl I believe).
Are you trying to run acme.sh from the Foreman server install? If so, what does this show from same command prompt you started that install?
curl https://acme-v02.api.letsencrypt.org/directory
3 Likes
salmo6
April 10, 2025, 8:12pm
6
Thanks for the help. Someday given another lifetime I may eventually come to understand TLS certificates.
The fullchain.cer file contains two certificates: the endpoint server cert (chief.middlebury.edu.cer) and the intermediate cert in ca.cer. The many root CAs are all installed in the default locations provided by the system packages (/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem and /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt). All of this looks correct to me, but maybe I'm missing something.
We are running acme.sh from the same server. Running curl https://acme-v02.api.letsencrypt.org/directory shows:
# curl https://acme-v02.api.letsencrypt.org/directory
{
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"profiles": {
"classic": "https://letsencrypt.org/docs/profiles#classic",
"shortlived": "https://letsencrypt.org/docs/profiles#shortlived (not yet generally available)",
"tlsserver": "https://letsencrypt.org/docs/profiles#tlsserver (not yet generally available)"
},
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"renewalInfo": "https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-03/renewalInfo",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert",
"t_IDtLMqYRg": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417"
1 Like
Okay. that looks good. Do you know what connection attempt is failing during the foreman-install?
The way you described it sounds like the install itself is failing. We'd need to know what it is trying to connect to.
If it is a problem connecting to it after the install please show the command you tried (a curl or the URL used in a browser).
3 Likes
salmo6
April 10, 2025, 8:36pm
8
Here's the debug output from the foreman-installer command. It shows the same error as running openssl verify independent of the installer:
Error 1: Puppet Foreman_host resource 'foreman-chief.middlebury.edu' failed. Logs:
/Stage[main]/Foreman::Register/Foreman_host[foreman-chief.middlebury.edu]
Adding autorequire relationship with Anchor[foreman::service]
Adding autorequire relationship with Anchor[foreman::providers::oauth]
Starting to evaluate the resource (1583 of 1699)
Could not evaluate: Exception SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate) in get request to: https://chief.middlebury.edu/api/v2/hosts?search=name%3D%22chief.middlebury.edu%22
Wrapped exception:
SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)
There's no error connecting to the cert. Using curl or a browser, the cert works. It's only the step that verifies the cert that is failing. On any other server I'd just ignore this since it otherwise works, but in this particular case I need to be able to verify the cert.
Can you attach these 3 files, they are all public certificates not Private Keys.
/etc/letsencrypt/chief.middlebury.edu_ecc/chief.middlebury.edu.cer
/etc/letsencrypt/chief.middlebury.edu_ecc/ca.cer
/etc/letsencrypt/chief.middlebury.edu_ecc/fullchain.cer
And show the openssl version.
1 Like
salmo6
April 10, 2025, 9:11pm
10
/etc/letsencrypt/chief.middlebury.edu_ecc/chief.middlebury.edu.cer:
-----BEGIN CERTIFICATE-----
MIID1jCCA1ygAwIBAgISBvQPix54Z1na+dRolKjGHcqlMAoGCCqGSM49BAMDMDIx
CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF
NjAeFw0yNTA0MTAxNTM2MjJaFw0yNTA3MDkxNTM2MjFaMB8xHTAbBgNVBAMTFGNo
aWVmLm1pZGRsZWJ1cnkuZWR1MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEJhv62Etl
xsG48LaZxy8mXkauxAudbNuA8ED8oblbMIuLhvdJdaybLttlYtUGMVT4JIyHFH/2
YaCRGO+dfoxkFihfA/K5QFU7VqCH1USHbr1Si6DUFMqVuIH8eGMrIhrso4ICRjCC
AkIwDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD
AjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTBhCQb8zz317XkRn/xbrt5SloPnzAf
BgNVHSMEGDAWgBSTJ0aYA6lRaI6Y1sRCSNsjv1iU0jBVBggrBgEFBQcBAQRJMEcw
IQYIKwYBBQUHMAGGFWh0dHA6Ly9lNi5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYW
aHR0cDovL2U2LmkubGVuY3Iub3JnLzAfBgNVHREEGDAWghRjaGllZi5taWRkbGVi
dXJ5LmVkdTATBgNVHSAEDDAKMAgGBmeBDAECATAtBgNVHR8EJjAkMCKgIKAehhxo
dHRwOi8vZTYuYy5sZW5jci5vcmcvMzguY3JsMIIBBQYKKwYBBAHWeQIEAgSB9gSB
8wDxAHYAEvFONL1TckyEBhnDjz96E/jntWKHiJxtMAWE6+WGJjoAAAGWII3k1QAA
BAMARzBFAiArGMislIMhwGDNlivZ2ACKpGI+GIROcZxuIx4FpYrOtAIhAMX4ep9x
AxvXesE6CorB7ah9IjkqWZDjt+eXiGEYnCWUAHcApELFBklgYVSPD9TqnPt6LSZF
TYepfy/fRVn2J086hFQAAAGWII3k5wAABAMASDBGAiEAxUK8fePSoK6uu82lqxyP
JGqfY+QMevvosK8ixN9L2TECIQCLPuwzBEhRcNTXzeM1W8GIfJQt7fRkGg6pczom
9ab/EjAKBggqhkjOPQQDAwNoADBlAjBvsd6p/+D97xyff/Ptyv0t+lrP+9imlCpb
aDrYj/Wij827HAOhI3hAa9IAqRQfjzACMQD2N1pvGwGpxouBAXCEumxyUclTp7G7
RCPzKPn5b5QaOS0Lv4aj3TyJaPzImteulFI=
-----END CERTIFICATE-----
/etc/letsencrypt/chief.middlebury.edu_ecc/ca.cer:
-----BEGIN CERTIFICATE-----
MIIEVzCCAj+gAwIBAgIRALBXPpFzlydw27SHyzpFKzgwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjQwMzEzMDAwMDAw
WhcNMjcwMzEyMjM1OTU5WjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCRTYwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATZ8Z5G
h/ghcWCoJuuj+rnq2h25EqfUJtlRFLFhfHWWvyILOR/VvtEKRqotPEoJhC6+QJVV
6RlAN2Z17TJOdwRJ+HB7wxjnzvdxEP6sdNgA1O1tHHMWMxCcOrLqbGL0vbijgfgw
gfUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD
ATASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSTJ0aYA6lRaI6Y1sRCSNsj
v1iU0jAfBgNVHSMEGDAWgBR5tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcB
AQQmMCQwIgYIKwYBBQUHMAKGFmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0g
BAwwCjAIBgZngQwBAgEwJwYDVR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVu
Y3Iub3JnLzANBgkqhkiG9w0BAQsFAAOCAgEAfYt7SiA1sgWGCIpunk46r4AExIRc
MxkKgUhNlrrv1B21hOaXN/5miE+LOTbrcmU/M9yvC6MVY730GNFoL8IhJ8j8vrOL
pMY22OP6baS1k9YMrtDTlwJHoGby04ThTUeBDksS9RiuHvicZqBedQdIF65pZuhp
eDcGBcLiYasQr/EO5gxxtLyTmgsHSOVSBcFOn9lgv7LECPq9i7mfH3mpxgrRKSxH
pOoZ0KXMcB+hHuvlklHntvcI0mMMQ0mhYj6qtMFStkF1RpCG3IPdIwpVCQqu8GV7
s8ubknRzs+3C/Bm19RFOoiPpDkwvyNfvmQ14XkyqqKK5oZ8zhD32kFRQkxa8uZSu
h4aTImFxknu39waBxIRXE4jKxlAmQc4QjFZoq1KmQqQg0J/1JF8RlFvJas1VcjLv
YlvUB2t6npO6oQjB3l+PNf0DpQH7iUx3Wz5AjQCi6L25FjyE06q6BZ/QlmtYdl/8
ZYao4SRqPEs/6cAiF+Qf5zg2UkaWtDphl1LKMuTNLotvsX99HP69V2faNyegodQ0
LyTApr/vT01YPE46vNsDLgK+4cL6TrzC/a4WcmF5SRJ938zrv/duJHLXQIku5v0+
EwOy59Hdm0PT/Er/84dDV0CSjdR/2XuZM3kpysSKLgD1cKiDA+IRguODCxfO9cyY
Ig46v9mFmBvyH04=
-----END CERTIFICATE-----
/etc/letsencrypt/chief.middlebury.edu_ecc/fullchain.cer:
-----BEGIN CERTIFICATE-----
MIID1jCCA1ygAwIBAgISBvQPix54Z1na+dRolKjGHcqlMAoGCCqGSM49BAMDMDIx
CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF
NjAeFw0yNTA0MTAxNTM2MjJaFw0yNTA3MDkxNTM2MjFaMB8xHTAbBgNVBAMTFGNo
aWVmLm1pZGRsZWJ1cnkuZWR1MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEJhv62Etl
xsG48LaZxy8mXkauxAudbNuA8ED8oblbMIuLhvdJdaybLttlYtUGMVT4JIyHFH/2
YaCRGO+dfoxkFihfA/K5QFU7VqCH1USHbr1Si6DUFMqVuIH8eGMrIhrso4ICRjCC
AkIwDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD
AjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTBhCQb8zz317XkRn/xbrt5SloPnzAf
BgNVHSMEGDAWgBSTJ0aYA6lRaI6Y1sRCSNsjv1iU0jBVBggrBgEFBQcBAQRJMEcw
IQYIKwYBBQUHMAGGFWh0dHA6Ly9lNi5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYW
aHR0cDovL2U2LmkubGVuY3Iub3JnLzAfBgNVHREEGDAWghRjaGllZi5taWRkbGVi
dXJ5LmVkdTATBgNVHSAEDDAKMAgGBmeBDAECATAtBgNVHR8EJjAkMCKgIKAehhxo
dHRwOi8vZTYuYy5sZW5jci5vcmcvMzguY3JsMIIBBQYKKwYBBAHWeQIEAgSB9gSB
8wDxAHYAEvFONL1TckyEBhnDjz96E/jntWKHiJxtMAWE6+WGJjoAAAGWII3k1QAA
BAMARzBFAiArGMislIMhwGDNlivZ2ACKpGI+GIROcZxuIx4FpYrOtAIhAMX4ep9x
AxvXesE6CorB7ah9IjkqWZDjt+eXiGEYnCWUAHcApELFBklgYVSPD9TqnPt6LSZF
TYepfy/fRVn2J086hFQAAAGWII3k5wAABAMASDBGAiEAxUK8fePSoK6uu82lqxyP
JGqfY+QMevvosK8ixN9L2TECIQCLPuwzBEhRcNTXzeM1W8GIfJQt7fRkGg6pczom
9ab/EjAKBggqhkjOPQQDAwNoADBlAjBvsd6p/+D97xyff/Ptyv0t+lrP+9imlCpb
aDrYj/Wij827HAOhI3hAa9IAqRQfjzACMQD2N1pvGwGpxouBAXCEumxyUclTp7G7
RCPzKPn5b5QaOS0Lv4aj3TyJaPzImteulFI=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEVzCCAj+gAwIBAgIRALBXPpFzlydw27SHyzpFKzgwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjQwMzEzMDAwMDAw
WhcNMjcwMzEyMjM1OTU5WjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCRTYwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATZ8Z5G
h/ghcWCoJuuj+rnq2h25EqfUJtlRFLFhfHWWvyILOR/VvtEKRqotPEoJhC6+QJVV
6RlAN2Z17TJOdwRJ+HB7wxjnzvdxEP6sdNgA1O1tHHMWMxCcOrLqbGL0vbijgfgw
gfUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD
ATASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSTJ0aYA6lRaI6Y1sRCSNsj
v1iU0jAfBgNVHSMEGDAWgBR5tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcB
AQQmMCQwIgYIKwYBBQUHMAKGFmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0g
BAwwCjAIBgZngQwBAgEwJwYDVR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVu
Y3Iub3JnLzANBgkqhkiG9w0BAQsFAAOCAgEAfYt7SiA1sgWGCIpunk46r4AExIRc
MxkKgUhNlrrv1B21hOaXN/5miE+LOTbrcmU/M9yvC6MVY730GNFoL8IhJ8j8vrOL
pMY22OP6baS1k9YMrtDTlwJHoGby04ThTUeBDksS9RiuHvicZqBedQdIF65pZuhp
eDcGBcLiYasQr/EO5gxxtLyTmgsHSOVSBcFOn9lgv7LECPq9i7mfH3mpxgrRKSxH
pOoZ0KXMcB+hHuvlklHntvcI0mMMQ0mhYj6qtMFStkF1RpCG3IPdIwpVCQqu8GV7
s8ubknRzs+3C/Bm19RFOoiPpDkwvyNfvmQ14XkyqqKK5oZ8zhD32kFRQkxa8uZSu
h4aTImFxknu39waBxIRXE4jKxlAmQc4QjFZoq1KmQqQg0J/1JF8RlFvJas1VcjLv
YlvUB2t6npO6oQjB3l+PNf0DpQH7iUx3Wz5AjQCi6L25FjyE06q6BZ/QlmtYdl/8
ZYao4SRqPEs/6cAiF+Qf5zg2UkaWtDphl1LKMuTNLotvsX99HP69V2faNyegodQ0
LyTApr/vT01YPE46vNsDLgK+4cL6TrzC/a4WcmF5SRJ938zrv/duJHLXQIku5v0+
EwOy59Hdm0PT/Er/84dDV0CSjdR/2XuZM3kpysSKLgD1cKiDA+IRguODCxfO9cyY
Ig46v9mFmBvyH04=
-----END CERTIFICATE-----
The full chain is the concatenation of the other two certs, which looks as it should be.
OpenSSL is version 1.1.1k:
# openssl version
OpenSSL 1.1.1k FIPS 25 Mar 2021
1 Like
salmo6
April 10, 2025, 9:17pm
11
The OS is Alma Linux 8.10, and OpenSSL 1.1.1 is the default version for that OS release.
1 Like
What would be more interesting is the output from the below openssl command. Because this "puppet foreman" is failing to verify the cert it sees. Are you sure this "puppet" context has the standard CA Root store available?
Please show this from the same "context" as puppet runs
echo | openssl s_client -connect chief.middlebury.edu:443
2 Likes
Just doing a quick google on that gives this thread.
The certs you got from Let's Encrypt are not wrong. I mean, it is theoretically possible but really not worth chasing that as a problem. Sure, if you were manually copy/merging/moving them around would be worth checking that was done correctly. But to think they were issued wrong is not worth it.
This is far more likely an environment issue at the system requesting the HTTPS connection.
Maybe the above foreman thread will shed some clues. Or even that openssl command in my previous post.
2 Likes
Here is what I get for those cert files:
$ openssl verify -CAfile ./ca.cer ./chief.middlebury.edu.cer
./chief.middlebury.edu.cer: OK
The OpenSSL version
$ openssl version
OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024)
The OS that I tested with
$ lsb_release
No LSB modules are available.
bam@dc3217iye:~/tmp$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 24.04.2 LTS
Release: 24.04
Codename: noble
$ uname -a
Linux dc3217iye 6.11.0-21-generic #21~24.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon Feb 24 16:52:15 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
$ cat /etc/os-release
PRETTY_NAME="Ubuntu 24.04.2 LTS"
NAME="Ubuntu"
VERSION_ID="24.04"
VERSION="24.04.2 LTS (Noble Numbat)"
VERSION_CODENAME=noble
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=noble
LOGO=ubuntu-logo
1 Like
salmo6
April 15, 2025, 6:36pm
15
Well that's interesting. This is what I get with those same files:
$ openssl verify -CAfile ./ca.cer ./chief.middlebury.edu.cer
C=US, O=Let's Encrypt, CN=R10
error 2 at 1 depth lookup: unable to get issuer certificate
error ./chief.middlebury.edu.cer: verification failed
This is on two different Alma 8.10 machines with OpenSSL 3.3.2 and 3.5.0. What could be causing this difference? Something at the OS level?
1 Like
salmo6
April 15, 2025, 7:37pm
16
Answering my own question: It's the firewall. (It's always the firewall.) I tested it on a machine outside our firewall and the cert verifies fine. I just need to have a chat with our network admins to see how we can do this within our firewalls.
2 Likes
salmo6:
Well that's interesting.
Here are the SHA256 fingerprints for the files I used
$ sha256sum ca.cer chief.middlebury.edu.cer fullchain.cer
13bab0b4e1fcd7715ee6d988b6728fb8991b8d23c032869575299a96b4a2c572 ca.cer
2276408691688770b125a1a08137bf5d6ef6b4381966156aee96ccf821711c8f chief.middlebury.edu.cer
934d256e956da04d631f2279aea688dfa59de7804ddce69d030e22634a7c73d1 fullchain.cer
ca.cer - matches this certificate crt.sh | 12396132904
-----BEGIN CERTIFICATE-----
MIIEVzCCAj+gAwIBAgIRALBXPpFzlydw27SHyzpFKzgwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjQwMzEzMDAwMDAw
WhcNMjcwMzEyMjM1OTU5WjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCRTYwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATZ8Z5G
h/ghcWCoJuuj+rnq2h25EqfUJtlRFLFhfHWWvyILOR/VvtEKRqotPEoJhC6+QJVV
6RlAN2Z17TJOdwRJ+HB7wxjnzvdxEP6sdNgA1O1tHHMWMxCcOrLqbGL0vbijgfgw
gfUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD
ATASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSTJ0aYA6lRaI6Y1sRCSNsj
v1iU0jAfBgNVHSMEGDAWgBR5tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcB
AQQmMCQwIgYIKwYBBQUHMAKGFmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0g
BAwwCjAIBgZngQwBAgEwJwYDVR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVu
Y3Iub3JnLzANBgkqhkiG9w0BAQsFAAOCAgEAfYt7SiA1sgWGCIpunk46r4AExIRc
MxkKgUhNlrrv1B21hOaXN/5miE+LOTbrcmU/M9yvC6MVY730GNFoL8IhJ8j8vrOL
pMY22OP6baS1k9YMrtDTlwJHoGby04ThTUeBDksS9RiuHvicZqBedQdIF65pZuhp
eDcGBcLiYasQr/EO5gxxtLyTmgsHSOVSBcFOn9lgv7LECPq9i7mfH3mpxgrRKSxH
pOoZ0KXMcB+hHuvlklHntvcI0mMMQ0mhYj6qtMFStkF1RpCG3IPdIwpVCQqu8GV7
s8ubknRzs+3C/Bm19RFOoiPpDkwvyNfvmQ14XkyqqKK5oZ8zhD32kFRQkxa8uZSu
h4aTImFxknu39waBxIRXE4jKxlAmQc4QjFZoq1KmQqQg0J/1JF8RlFvJas1VcjLv
YlvUB2t6npO6oQjB3l+PNf0DpQH7iUx3Wz5AjQCi6L25FjyE06q6BZ/QlmtYdl/8
ZYao4SRqPEs/6cAiF+Qf5zg2UkaWtDphl1LKMuTNLotvsX99HP69V2faNyegodQ0
LyTApr/vT01YPE46vNsDLgK+4cL6TrzC/a4WcmF5SRJ938zrv/duJHLXQIku5v0+
EwOy59Hdm0PT/Er/84dDV0CSjdR/2XuZM3kpysSKLgD1cKiDA+IRguODCxfO9cyY
Ig46v9mFmBvyH04=
-----END CERTIFICATE-----
chief.middlebury.edu.cer - matches this certificate crt.sh | 17769905884
-----BEGIN CERTIFICATE-----
MIID1jCCA1ygAwIBAgISBvQPix54Z1na+dRolKjGHcqlMAoGCCqGSM49BAMDMDIx
CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF
NjAeFw0yNTA0MTAxNTM2MjJaFw0yNTA3MDkxNTM2MjFaMB8xHTAbBgNVBAMTFGNo
aWVmLm1pZGRsZWJ1cnkuZWR1MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEJhv62Etl
xsG48LaZxy8mXkauxAudbNuA8ED8oblbMIuLhvdJdaybLttlYtUGMVT4JIyHFH/2
YaCRGO+dfoxkFihfA/K5QFU7VqCH1USHbr1Si6DUFMqVuIH8eGMrIhrso4ICRjCC
AkIwDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD
AjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTBhCQb8zz317XkRn/xbrt5SloPnzAf
BgNVHSMEGDAWgBSTJ0aYA6lRaI6Y1sRCSNsjv1iU0jBVBggrBgEFBQcBAQRJMEcw
IQYIKwYBBQUHMAGGFWh0dHA6Ly9lNi5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYW
aHR0cDovL2U2LmkubGVuY3Iub3JnLzAfBgNVHREEGDAWghRjaGllZi5taWRkbGVi
dXJ5LmVkdTATBgNVHSAEDDAKMAgGBmeBDAECATAtBgNVHR8EJjAkMCKgIKAehhxo
dHRwOi8vZTYuYy5sZW5jci5vcmcvMzguY3JsMIIBBQYKKwYBBAHWeQIEAgSB9gSB
8wDxAHYAEvFONL1TckyEBhnDjz96E/jntWKHiJxtMAWE6+WGJjoAAAGWII3k1QAA
BAMARzBFAiArGMislIMhwGDNlivZ2ACKpGI+GIROcZxuIx4FpYrOtAIhAMX4ep9x
AxvXesE6CorB7ah9IjkqWZDjt+eXiGEYnCWUAHcApELFBklgYVSPD9TqnPt6LSZF
TYepfy/fRVn2J086hFQAAAGWII3k5wAABAMASDBGAiEAxUK8fePSoK6uu82lqxyP
JGqfY+QMevvosK8ixN9L2TECIQCLPuwzBEhRcNTXzeM1W8GIfJQt7fRkGg6pczom
9ab/EjAKBggqhkjOPQQDAwNoADBlAjBvsd6p/+D97xyff/Ptyv0t+lrP+9imlCpb
aDrYj/Wij827HAOhI3hAa9IAqRQfjzACMQD2N1pvGwGpxouBAXCEumxyUclTp7G7
RCPzKPn5b5QaOS0Lv4aj3TyJaPzImteulFI=
-----END CERTIFICATE-----
fullchain.cer - concatenation of the above two certificates
-----BEGIN CERTIFICATE-----
MIID1jCCA1ygAwIBAgISBvQPix54Z1na+dRolKjGHcqlMAoGCCqGSM49BAMDMDIx
CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF
NjAeFw0yNTA0MTAxNTM2MjJaFw0yNTA3MDkxNTM2MjFaMB8xHTAbBgNVBAMTFGNo
aWVmLm1pZGRsZWJ1cnkuZWR1MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEJhv62Etl
xsG48LaZxy8mXkauxAudbNuA8ED8oblbMIuLhvdJdaybLttlYtUGMVT4JIyHFH/2
YaCRGO+dfoxkFihfA/K5QFU7VqCH1USHbr1Si6DUFMqVuIH8eGMrIhrso4ICRjCC
AkIwDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD
AjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTBhCQb8zz317XkRn/xbrt5SloPnzAf
BgNVHSMEGDAWgBSTJ0aYA6lRaI6Y1sRCSNsjv1iU0jBVBggrBgEFBQcBAQRJMEcw
IQYIKwYBBQUHMAGGFWh0dHA6Ly9lNi5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYW
aHR0cDovL2U2LmkubGVuY3Iub3JnLzAfBgNVHREEGDAWghRjaGllZi5taWRkbGVi
dXJ5LmVkdTATBgNVHSAEDDAKMAgGBmeBDAECATAtBgNVHR8EJjAkMCKgIKAehhxo
dHRwOi8vZTYuYy5sZW5jci5vcmcvMzguY3JsMIIBBQYKKwYBBAHWeQIEAgSB9gSB
8wDxAHYAEvFONL1TckyEBhnDjz96E/jntWKHiJxtMAWE6+WGJjoAAAGWII3k1QAA
BAMARzBFAiArGMislIMhwGDNlivZ2ACKpGI+GIROcZxuIx4FpYrOtAIhAMX4ep9x
AxvXesE6CorB7ah9IjkqWZDjt+eXiGEYnCWUAHcApELFBklgYVSPD9TqnPt6LSZF
TYepfy/fRVn2J086hFQAAAGWII3k5wAABAMASDBGAiEAxUK8fePSoK6uu82lqxyP
JGqfY+QMevvosK8ixN9L2TECIQCLPuwzBEhRcNTXzeM1W8GIfJQt7fRkGg6pczom
9ab/EjAKBggqhkjOPQQDAwNoADBlAjBvsd6p/+D97xyff/Ptyv0t+lrP+9imlCpb
aDrYj/Wij827HAOhI3hAa9IAqRQfjzACMQD2N1pvGwGpxouBAXCEumxyUclTp7G7
RCPzKPn5b5QaOS0Lv4aj3TyJaPzImteulFI=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEVzCCAj+gAwIBAgIRALBXPpFzlydw27SHyzpFKzgwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjQwMzEzMDAwMDAw
WhcNMjcwMzEyMjM1OTU5WjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCRTYwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATZ8Z5G
h/ghcWCoJuuj+rnq2h25EqfUJtlRFLFhfHWWvyILOR/VvtEKRqotPEoJhC6+QJVV
6RlAN2Z17TJOdwRJ+HB7wxjnzvdxEP6sdNgA1O1tHHMWMxCcOrLqbGL0vbijgfgw
gfUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD
ATASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSTJ0aYA6lRaI6Y1sRCSNsj
v1iU0jAfBgNVHSMEGDAWgBR5tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcB
AQQmMCQwIgYIKwYBBQUHMAKGFmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0g
BAwwCjAIBgZngQwBAgEwJwYDVR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVu
Y3Iub3JnLzANBgkqhkiG9w0BAQsFAAOCAgEAfYt7SiA1sgWGCIpunk46r4AExIRc
MxkKgUhNlrrv1B21hOaXN/5miE+LOTbrcmU/M9yvC6MVY730GNFoL8IhJ8j8vrOL
pMY22OP6baS1k9YMrtDTlwJHoGby04ThTUeBDksS9RiuHvicZqBedQdIF65pZuhp
eDcGBcLiYasQr/EO5gxxtLyTmgsHSOVSBcFOn9lgv7LECPq9i7mfH3mpxgrRKSxH
pOoZ0KXMcB+hHuvlklHntvcI0mMMQ0mhYj6qtMFStkF1RpCG3IPdIwpVCQqu8GV7
s8ubknRzs+3C/Bm19RFOoiPpDkwvyNfvmQ14XkyqqKK5oZ8zhD32kFRQkxa8uZSu
h4aTImFxknu39waBxIRXE4jKxlAmQc4QjFZoq1KmQqQg0J/1JF8RlFvJas1VcjLv
YlvUB2t6npO6oQjB3l+PNf0DpQH7iUx3Wz5AjQCi6L25FjyE06q6BZ/QlmtYdl/8
ZYao4SRqPEs/6cAiF+Qf5zg2UkaWtDphl1LKMuTNLotvsX99HP69V2faNyegodQ0
LyTApr/vT01YPE46vNsDLgK+4cL6TrzC/a4WcmF5SRJ938zrv/duJHLXQIku5v0+
EwOy59Hdm0PT/Er/84dDV0CSjdR/2XuZM3kpysSKLgD1cKiDA+IRguODCxfO9cyY
Ig46v9mFmBvyH04=
-----END CERTIFICATE-----
1 Like
I don't know how @Bruce5051 got a pass. That command should be expected to fail. His opensssl might be built with some loose verification flags set.
-CAfile is not an argument for Intermediates, it's the argument to the trusted root, or a system Trust Store.
-untrusted is the argument for an intermediate; If there are multiple intermediates in a chain, the -untrusted {intermediate} can be repeated.
The verify command should be:
openssl verify -purpose sslserver -CAfile "/path/to/trust-store-or-single-root.pem" -untrusted ca.cer chief.middlebury.edu.cer
I have only tested on 1.1.1 (OpenSSL LTS); 3.x should work the same. I get an expected fail with -CAfile intermediate, but a pass with the syntax I used above.
Note my use of -purpose sslserver above. It's not necessarily required for chainbuilding but will set the verification flags required for a webserver context.
Edit: My recommendation is to download the X1 cert from here - the intermediate used is E6 signed by X1 - and try that as the CA file. That should pass. Then try with CA file as the os trust store. If that fails, your issue is an old trust store - though x1 is nearly 10 years old now, so I don't now how that problem could manifest.
2 Likes
Just using the default
$ openssl version -f
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -fzero-call-used-regs=used-gpr -DOPENSSL_TLS_SECURITY_LEVEL=2 -Wa,--noexecstack -g -O2 -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -ffile-prefix-map=/build/openssl-7xongr/openssl-3.0.13=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -fdebug-prefix-map=/build/openssl-7xongr/openssl-3.0.13=/usr/src/openssl-3.0.13-0ubuntu3.5 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=3
$ openssl version -a
OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024)
built on: Wed Feb 5 13:17:43 2025 UTC
platform: debian-amd64
options: bn(64,64)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -fzero-call-used-regs=used-gpr -DOPENSSL_TLS_SECURITY_LEVEL=2 -Wa,--noexecstack -g -O2 -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -ffile-prefix-map=/build/openssl-7xongr/openssl-3.0.13=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -fdebug-prefix-map=/build/openssl-7xongr/openssl-3.0.13=/usr/src/openssl-3.0.13-0ubuntu3.5 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=3
OPENSSLDIR: "/usr/lib/ssl"
ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-3"
MODULESDIR: "/usr/lib/x86_64-linux-gnu/ossl-modules"
Seeding source: os-specific
CPUINFO: OPENSSL_ia32cap=0x3dbae3bfffebffff:0x281
Summary
$ openssl verify ./chief.middlebury.edu.cer
CN = chief.middlebury.edu
error 20 at 0 depth lookup: unable to get local issuer certificate
error ./chief.middlebury.edu.cer: verification failed
$ openssl verify ./fullchain.cer
CN = chief.middlebury.edu
error 20 at 0 depth lookup: unable to get local issuer certificate
error ./fullchain.cer: verification failed
Summary
bam@dc3217iye:~/tmp$ cat ca.cer
-----BEGIN CERTIFICATE-----
MIIEVzCCAj+gAwIBAgIRALBXPpFzlydw27SHyzpFKzgwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjQwMzEzMDAwMDAw
WhcNMjcwMzEyMjM1OTU5WjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCRTYwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATZ8Z5G
h/ghcWCoJuuj+rnq2h25EqfUJtlRFLFhfHWWvyILOR/VvtEKRqotPEoJhC6+QJVV
6RlAN2Z17TJOdwRJ+HB7wxjnzvdxEP6sdNgA1O1tHHMWMxCcOrLqbGL0vbijgfgw
gfUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD
ATASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSTJ0aYA6lRaI6Y1sRCSNsj
v1iU0jAfBgNVHSMEGDAWgBR5tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcB
AQQmMCQwIgYIKwYBBQUHMAKGFmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0g
BAwwCjAIBgZngQwBAgEwJwYDVR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVu
Y3Iub3JnLzANBgkqhkiG9w0BAQsFAAOCAgEAfYt7SiA1sgWGCIpunk46r4AExIRc
MxkKgUhNlrrv1B21hOaXN/5miE+LOTbrcmU/M9yvC6MVY730GNFoL8IhJ8j8vrOL
pMY22OP6baS1k9YMrtDTlwJHoGby04ThTUeBDksS9RiuHvicZqBedQdIF65pZuhp
eDcGBcLiYasQr/EO5gxxtLyTmgsHSOVSBcFOn9lgv7LECPq9i7mfH3mpxgrRKSxH
pOoZ0KXMcB+hHuvlklHntvcI0mMMQ0mhYj6qtMFStkF1RpCG3IPdIwpVCQqu8GV7
s8ubknRzs+3C/Bm19RFOoiPpDkwvyNfvmQ14XkyqqKK5oZ8zhD32kFRQkxa8uZSu
h4aTImFxknu39waBxIRXE4jKxlAmQc4QjFZoq1KmQqQg0J/1JF8RlFvJas1VcjLv
YlvUB2t6npO6oQjB3l+PNf0DpQH7iUx3Wz5AjQCi6L25FjyE06q6BZ/QlmtYdl/8
ZYao4SRqPEs/6cAiF+Qf5zg2UkaWtDphl1LKMuTNLotvsX99HP69V2faNyegodQ0
LyTApr/vT01YPE46vNsDLgK+4cL6TrzC/a4WcmF5SRJ938zrv/duJHLXQIku5v0+
EwOy59Hdm0PT/Er/84dDV0CSjdR/2XuZM3kpysSKLgD1cKiDA+IRguODCxfO9cyY
Ig46v9mFmBvyH04=
-----END CERTIFICATE-----
bam@dc3217iye:~/tmp$ cat chief.middlebury.edu.cer
-----BEGIN CERTIFICATE-----
MIID1jCCA1ygAwIBAgISBvQPix54Z1na+dRolKjGHcqlMAoGCCqGSM49BAMDMDIx
CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF
NjAeFw0yNTA0MTAxNTM2MjJaFw0yNTA3MDkxNTM2MjFaMB8xHTAbBgNVBAMTFGNo
aWVmLm1pZGRsZWJ1cnkuZWR1MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEJhv62Etl
xsG48LaZxy8mXkauxAudbNuA8ED8oblbMIuLhvdJdaybLttlYtUGMVT4JIyHFH/2
YaCRGO+dfoxkFihfA/K5QFU7VqCH1USHbr1Si6DUFMqVuIH8eGMrIhrso4ICRjCC
AkIwDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD
AjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTBhCQb8zz317XkRn/xbrt5SloPnzAf
BgNVHSMEGDAWgBSTJ0aYA6lRaI6Y1sRCSNsjv1iU0jBVBggrBgEFBQcBAQRJMEcw
IQYIKwYBBQUHMAGGFWh0dHA6Ly9lNi5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYW
aHR0cDovL2U2LmkubGVuY3Iub3JnLzAfBgNVHREEGDAWghRjaGllZi5taWRkbGVi
dXJ5LmVkdTATBgNVHSAEDDAKMAgGBmeBDAECATAtBgNVHR8EJjAkMCKgIKAehhxo
dHRwOi8vZTYuYy5sZW5jci5vcmcvMzguY3JsMIIBBQYKKwYBBAHWeQIEAgSB9gSB
8wDxAHYAEvFONL1TckyEBhnDjz96E/jntWKHiJxtMAWE6+WGJjoAAAGWII3k1QAA
BAMARzBFAiArGMislIMhwGDNlivZ2ACKpGI+GIROcZxuIx4FpYrOtAIhAMX4ep9x
AxvXesE6CorB7ah9IjkqWZDjt+eXiGEYnCWUAHcApELFBklgYVSPD9TqnPt6LSZF
TYepfy/fRVn2J086hFQAAAGWII3k5wAABAMASDBGAiEAxUK8fePSoK6uu82lqxyP
JGqfY+QMevvosK8ixN9L2TECIQCLPuwzBEhRcNTXzeM1W8GIfJQt7fRkGg6pczom
9ab/EjAKBggqhkjOPQQDAwNoADBlAjBvsd6p/+D97xyff/Ptyv0t+lrP+9imlCpb
aDrYj/Wij827HAOhI3hAa9IAqRQfjzACMQD2N1pvGwGpxouBAXCEumxyUclTp7G7
RCPzKPn5b5QaOS0Lv4aj3TyJaPzImteulFI=
-----END CERTIFICATE-----
bam@dc3217iye:~/tmp$ cat fullchain.cer
-----BEGIN CERTIFICATE-----
MIID1jCCA1ygAwIBAgISBvQPix54Z1na+dRolKjGHcqlMAoGCCqGSM49BAMDMDIx
CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF
NjAeFw0yNTA0MTAxNTM2MjJaFw0yNTA3MDkxNTM2MjFaMB8xHTAbBgNVBAMTFGNo
aWVmLm1pZGRsZWJ1cnkuZWR1MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEJhv62Etl
xsG48LaZxy8mXkauxAudbNuA8ED8oblbMIuLhvdJdaybLttlYtUGMVT4JIyHFH/2
YaCRGO+dfoxkFihfA/K5QFU7VqCH1USHbr1Si6DUFMqVuIH8eGMrIhrso4ICRjCC
AkIwDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD
AjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTBhCQb8zz317XkRn/xbrt5SloPnzAf
BgNVHSMEGDAWgBSTJ0aYA6lRaI6Y1sRCSNsjv1iU0jBVBggrBgEFBQcBAQRJMEcw
IQYIKwYBBQUHMAGGFWh0dHA6Ly9lNi5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYW
aHR0cDovL2U2LmkubGVuY3Iub3JnLzAfBgNVHREEGDAWghRjaGllZi5taWRkbGVi
dXJ5LmVkdTATBgNVHSAEDDAKMAgGBmeBDAECATAtBgNVHR8EJjAkMCKgIKAehhxo
dHRwOi8vZTYuYy5sZW5jci5vcmcvMzguY3JsMIIBBQYKKwYBBAHWeQIEAgSB9gSB
8wDxAHYAEvFONL1TckyEBhnDjz96E/jntWKHiJxtMAWE6+WGJjoAAAGWII3k1QAA
BAMARzBFAiArGMislIMhwGDNlivZ2ACKpGI+GIROcZxuIx4FpYrOtAIhAMX4ep9x
AxvXesE6CorB7ah9IjkqWZDjt+eXiGEYnCWUAHcApELFBklgYVSPD9TqnPt6LSZF
TYepfy/fRVn2J086hFQAAAGWII3k5wAABAMASDBGAiEAxUK8fePSoK6uu82lqxyP
JGqfY+QMevvosK8ixN9L2TECIQCLPuwzBEhRcNTXzeM1W8GIfJQt7fRkGg6pczom
9ab/EjAKBggqhkjOPQQDAwNoADBlAjBvsd6p/+D97xyff/Ptyv0t+lrP+9imlCpb
aDrYj/Wij827HAOhI3hAa9IAqRQfjzACMQD2N1pvGwGpxouBAXCEumxyUclTp7G7
RCPzKPn5b5QaOS0Lv4aj3TyJaPzImteulFI=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEVzCCAj+gAwIBAgIRALBXPpFzlydw27SHyzpFKzgwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjQwMzEzMDAwMDAw
WhcNMjcwMzEyMjM1OTU5WjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCRTYwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATZ8Z5G
h/ghcWCoJuuj+rnq2h25EqfUJtlRFLFhfHWWvyILOR/VvtEKRqotPEoJhC6+QJVV
6RlAN2Z17TJOdwRJ+HB7wxjnzvdxEP6sdNgA1O1tHHMWMxCcOrLqbGL0vbijgfgw
gfUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD
ATASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSTJ0aYA6lRaI6Y1sRCSNsj
v1iU0jAfBgNVHSMEGDAWgBR5tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcB
AQQmMCQwIgYIKwYBBQUHMAKGFmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0g
BAwwCjAIBgZngQwBAgEwJwYDVR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVu
Y3Iub3JnLzANBgkqhkiG9w0BAQsFAAOCAgEAfYt7SiA1sgWGCIpunk46r4AExIRc
MxkKgUhNlrrv1B21hOaXN/5miE+LOTbrcmU/M9yvC6MVY730GNFoL8IhJ8j8vrOL
pMY22OP6baS1k9YMrtDTlwJHoGby04ThTUeBDksS9RiuHvicZqBedQdIF65pZuhp
eDcGBcLiYasQr/EO5gxxtLyTmgsHSOVSBcFOn9lgv7LECPq9i7mfH3mpxgrRKSxH
pOoZ0KXMcB+hHuvlklHntvcI0mMMQ0mhYj6qtMFStkF1RpCG3IPdIwpVCQqu8GV7
s8ubknRzs+3C/Bm19RFOoiPpDkwvyNfvmQ14XkyqqKK5oZ8zhD32kFRQkxa8uZSu
h4aTImFxknu39waBxIRXE4jKxlAmQc4QjFZoq1KmQqQg0J/1JF8RlFvJas1VcjLv
YlvUB2t6npO6oQjB3l+PNf0DpQH7iUx3Wz5AjQCi6L25FjyE06q6BZ/QlmtYdl/8
ZYao4SRqPEs/6cAiF+Qf5zg2UkaWtDphl1LKMuTNLotvsX99HP69V2faNyegodQ0
LyTApr/vT01YPE46vNsDLgK+4cL6TrzC/a4WcmF5SRJ938zrv/duJHLXQIku5v0+
EwOy59Hdm0PT/Er/84dDV0CSjdR/2XuZM3kpysSKLgD1cKiDA+IRguODCxfO9cyY
Ig46v9mFmBvyH04=
-----END CERTIFICATE-----
bam@dc3217iye:~/tmp$ openssl version
OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024)
bam@dc3217iye:~/tmp$ openssl verify -CAfile ./ca.cer ./chief.middlebury.edu.cer
./chief.middlebury.edu.cer: OK
1 Like
However this is what I get on OpenBSD 7.6 GENERIC.MP#1 amd64 LibreSSL 4.0.0;@jvanasco is expecting to see.
$ uname -a
OpenBSD e6430-i5.my.domain 7.6 GENERIC.MP#1 amd64
$ openssl version
LibreSSL 4.0.0
$ sha256 *.cer
SHA256 (ca.cer) = 13bab0b4e1fcd7715ee6d988b6728fb8991b8d23c032869575299a96b4a2c572
SHA256 (chief.middlebury.edu.cer) = 2276408691688770b125a1a08137bf5d6ef6b4381966156aee96ccf821711c8f
SHA256 (fullchain.cer) = 934d256e956da04d631f2279aea688dfa59de7804ddce69d030e22634a7c73d1
$ openssl verify -CAfile ./ca.cer ./chief.middlebury.edu.cer
CN = chief.middlebury.edu
error 20 at 1 depth lookup:unable to get local issuer certificate
./chief.middlebury.edu.cer: verification failed: 20 (unable to get local issuer certificate)
chief.middlebury.edu.cer: OK $ openssl verify -purpose sslserver -CAfile /etc/ssl/cert.pem -untrusted ca.cer chief.middlebury.edu.cer
chief.middlebury.edu.cer: OK
chief.middlebury.edu.cer: OK too! $ openssl verify -purpose sslserver -CAfile /etc/ssl/certs/ca-certificates.crt -untrusted ca.cer chief.middlebury.edu.cer
chief.middlebury.edu.cer: OK
1 Like
