Creating p12 file for keystore - Error unable to get issuer certificate getting chain

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
dev.spandesk.com

I ran this command:
sudo openssl pkcs12 -export -chain -in /etc/letsencrypt/live/dev.spandesk.com/cert.pem -inkey /etc/letsencrypt/live/dev.spandesk.com/privkey.pem -out dev.spandesk.p12 -name dev.spandesk.com -CAfile /etc/letsencrypt/live/dev.spandesk.com/fullchain.pem -caname root

sudo openssl pkcs12 -export -chain -in /etc/letsencrypt/live/dev.spandesk.com/cert.pem -inkey /etc/letsencrypt/live/dev.spandesk.com/privkey.pem -out dev.spandesk.p12 -name dev.spandesk.com -CAfile /etc/letsencrypt/live/dev.spandesk.com/chain.pem -caname root

It produced this output:
Error unable to get issuer certificate getting chain.

My web server is (include version):
Wildfly, not running yet because I Need the certificate

The operating system my web server runs on is (include version):
AWS Linux 2

My hosting provider, if applicable, is:
AWS

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.11.0

I can't reproduce your error, both commands work perfectly when I substitute your certificate paths to a Let's Encrypt cert of my own. Only when I change fullchain.pem or chain.pem (both work here) for cert.pem, it gives your reported error. But that's obviously incorrect and not what you tried.

What's the output of the following command?:

openssl verify -CAfile /etc/letsencrypt/live/dev.spandesk.com/chain.pem /etc/letsencrypt/live/dev.spandesk.com/cert.pem

$ sudo openssl verify -CAfile /etc/letsencrypt/live/dev.spandesk.com/chain.pem /etc/letsencrypt/live/dev.spandesk.com/cert.pem
/etc/letsencrypt/live/dev.spandesk.com/cert.pem: C = US, O = Internet Security Research Group, CN = ISRG Root X1
error 2 at 2 depth lookup:unable to get issuer certificate

$ sudo openssl verify -CAfile /etc/letsencrypt/live/dev.spandesk.com/fullchain.pem /etc/letsencrypt/live/dev.spandesk.com/cert.pem
/etc/letsencrypt/live/dev.spandesk.com/cert.pem: C = US, O = Internet Security Research Group, CN = ISRG Root X1
error 2 at 2 depth lookup:unable to get issuer certificate

It seems there's something wrong with your files, that should have produced the output:

/etc/letsencrypt/live/dev.spandesk.com/cert.pem: OK

Can you provide the output of ls -l /etc/letsencrypt/live/dev.spandesk.com/ and also the contents of the files cert.pem, chain.pem and fullchain.pem? Note that those three files are public knowledge, however privkey.pem is obviously not and you should never share its contents. However, the three I mentioned earlier can be shared without problems (the cert is already published in certificate logs and the chain is a public cert from Let's Encrypt, maybe just the incorrect one.)

If I may guess your cert.pem actually has the contents of chain.pem looking at the issuer.

$ sudo ls -l /etc/letsencrypt/live/dev.spandesk.com/
total 4
lrwxrwxrwx 1 root root 40 May 18 12:23 cert.pem -> ../../archive/dev.spandesk.com/cert1.pem
lrwxrwxrwx 1 root root 41 May 18 12:23 chain.pem -> ../../archive/dev.spandesk.com/chain1.pem
lrwxrwxrwx 1 root root 45 May 18 12:23 fullchain.pem -> ../../archive/dev.spandesk.com/fullchain1.pem
lrwxrwxrwx 1 root root 43 May 18 12:23 privkey.pem -> ../../archive/dev.spandesk.com/privkey1.pem
-rw-r--r-- 1 root root 692 May 18 12:23 README

sudo less /etc/letsencrypt/live/dev.spandesk.com/cert.pem
-----BEGIN CERTIFICATE-----
MIIFJjCCBA6gAwIBAgISAzDZunv6tea1hWAAcGVRt1lxMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTA1MTgxNTIzMDZaFw0yMTA4MTYxNTIzMDZaMBsxGTAXBgNVBAMT
EGRldi5zcGFuZGVzay5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDZdyLtst9jeFvfJufmyQDUVFu6LpEmIYz7F0xXicQLiHTjRW4bqFss3M8msSHI
M8B2ZKEwqAN77Ks5rCluT4+fnrHQPct4p8Zg/J+m70GziUpQ6wQslwnrp6goZ58f
CC3XVNO1GS1fJMgWDZKcAYhneV/z0MzBec1iBuOcW5w/F+e22ZLw9xLquWfsrrvI
jNsz2ZZC//dyIRlBOCfi5jw1578z5404+2As6XLhKQl1Ohjp2E38t+6Qt0mbmCwt
5EFbY2VaFbkeh21YEfQ1rK12+DLSx8jBgii5Ss/+XR8l8X83MVHgMwEi37WbGJdr
qaXSlPlmxTLuDgd2VxqLN2gpAgMBAAGjggJLMIICRzAOBgNVHQ8BAf8EBAMCBaAw
HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYD
VR0OBBYEFIVvGpFFEDs7XFqcYdpUWsDwOGVeMB8GA1UdIwQYMBaAFBQusxe3WFbL
rlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDov
L3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5v
cmcvMBsGA1UdEQQUMBKCEGRldi5zcGFuZGVzay5jb20wTAYDVR0gBEUwQzAIBgZn
gQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5s
ZXRzZW5jcnlwdC5vcmcwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgBc3EOS/uar
RUSxXprUVuYQN/vV+kfcoXOUsl7m9scOygAAAXmASbsRAAAEAwBHMEUCICD3zEJA
PWMz3Z4ii9CFDdlVSjlbamEQ6XZ8hOccrhEHAiEAoksNs93qtTs2d/u/gmAR4GuF
qny1/K6RV9w8LURm0aEAdgB9PvL4j/+IVWgkwsDKnlKJeSvFDngJfy5ql2iZfiLw
1wAAAXmASbtRAAAEAwBHMEUCIQCK4VryvHN7d3w2jZ3dRaRVaNMNQS4DU90qVEMV
ZbZQ1QIgMi+XIGt7j+mxYy4vgiFDrSMmJa6vCmbuwD7B0fmFjXowDQYJKoZIhvcN
AQELBQADggEBALV3c1GkT+PkQfzs2aCvIDrN6iqgZLZ+oKzNqFkzNP6u1YK96XJe
cK0qx+Zr5zY+mgY0THEtjRoT9gcOXryYYIoD8dkj23wiTSI2J4gfWZ/kTJ47hR8e
9+EXlE0TBvbK3yNkks4iF8JPKaKzv0MTlB9V/xgo/vyIh4RB1WM5NBngAeBmGe+C
pYtjkIzapWpk1qQ4noG9yW5lqYzQ2iz4B2T9L04YVTP+6YOKH2Z9yhNKaXTJ8YUJ
uqg9t6y7VHEz3nhhmfbLciQ6QMWmr/W9UKXL0mrrp/pTZgSd4WWyYTYNY145S+YF
gZteDubkn56ihh6z5EayuLUPUDfHRF4U/5c=
-----END CERTIFICATE-----

sudo less /etc/letsencrypt/live/dev.spandesk.com/chain.pem
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----

sudo less /etc/letsencrypt/live/dev.spandesk.com/fullchain.pem
-----BEGIN CERTIFICATE-----
MIIFJjCCBA6gAwIBAgISAzDZunv6tea1hWAAcGVRt1lxMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTA1MTgxNTIzMDZaFw0yMTA4MTYxNTIzMDZaMBsxGTAXBgNVBAMT
EGRldi5zcGFuZGVzay5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDZdyLtst9jeFvfJufmyQDUVFu6LpEmIYz7F0xXicQLiHTjRW4bqFss3M8msSHI
M8B2ZKEwqAN77Ks5rCluT4+fnrHQPct4p8Zg/J+m70GziUpQ6wQslwnrp6goZ58f
CC3XVNO1GS1fJMgWDZKcAYhneV/z0MzBec1iBuOcW5w/F+e22ZLw9xLquWfsrrvI
jNsz2ZZC//dyIRlBOCfi5jw1578z5404+2As6XLhKQl1Ohjp2E38t+6Qt0mbmCwt
5EFbY2VaFbkeh21YEfQ1rK12+DLSx8jBgii5Ss/+XR8l8X83MVHgMwEi37WbGJdr
qaXSlPlmxTLuDgd2VxqLN2gpAgMBAAGjggJLMIICRzAOBgNVHQ8BAf8EBAMCBaAw
HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYD
VR0OBBYEFIVvGpFFEDs7XFqcYdpUWsDwOGVeMB8GA1UdIwQYMBaAFBQusxe3WFbL
rlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDov
L3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5v
cmcvMBsGA1UdEQQUMBKCEGRldi5zcGFuZGVzay5jb20wTAYDVR0gBEUwQzAIBgZn
gQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5s
ZXRzZW5jcnlwdC5vcmcwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgBc3EOS/uar
RUSxXprUVuYQN/vV+kfcoXOUsl7m9scOygAAAXmASbsRAAAEAwBHMEUCICD3zEJA
PWMz3Z4ii9CFDdlVSjlbamEQ6XZ8hOccrhEHAiEAoksNs93qtTs2d/u/gmAR4GuF
qny1/K6RV9w8LURm0aEAdgB9PvL4j/+IVWgkwsDKnlKJeSvFDngJfy5ql2iZfiLw
1wAAAXmASbtRAAAEAwBHMEUCIQCK4VryvHN7d3w2jZ3dRaRVaNMNQS4DU90qVEMV
ZbZQ1QIgMi+XIGt7j+mxYy4vgiFDrSMmJa6vCmbuwD7B0fmFjXowDQYJKoZIhvcN
AQELBQADggEBALV3c1GkT+PkQfzs2aCvIDrN6iqgZLZ+oKzNqFkzNP6u1YK96XJe
cK0qx+Zr5zY+mgY0THEtjRoT9gcOXryYYIoD8dkj23wiTSI2J4gfWZ/kTJ47hR8e
9+EXlE0TBvbK3yNkks4iF8JPKaKzv0MTlB9V/xgo/vyIh4RB1WM5NBngAeBmGe+C
pYtjkIzapWpk1qQ4noG9yW5lqYzQ2iz4B2T9L04YVTP+6YOKH2Z9yhNKaXTJ8YUJ
uqg9t6y7VHEz3nhhmfbLciQ6QMWmr/W9UKXL0mrrp/pTZgSd4WWyYTYNY145S+YF
gZteDubkn56ihh6z5EayuLUPUDfHRF4U/5c=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----

Hm, cert.pem and chain.pem do look good indeed..

However, this is of course the longer chain which is in production since begin of May. My certs all have the older chain with just a single intermediate. I thought that might be the reason why the OpenSSL commands don't work, but when I run the verify command, it says "OK" here nonetheless. With the files I copy/pasted from your post! Obviously I can't try your pkcs12 command with your files

Which OpenSSL version are you using? I'm on 1.1.1k.

OpenSSL 1.0.2k-fips 26 Jan 2017

I installed openssl11 but I get the same error as above

I just booted a random virtual machine I found using Google (https://www.offidocs.com/index.php/desktop-online-utilities-apps/xlinux-online-linux), and it just works:

~ $ openssl version                                                                                                                                                      
OpenSSL 1.0.1h 5 Jun 2014                                                                                                                                                
~ $ cat >cert.pem <<EOF                                                                                                                                                  
> ^C                                                                                                                                                                     
>                                                                                                                                                                        
> EOF                                                                                                                                                                    
~ $ rm cert.pem                                                                                                                                                          
~ $ ls                                                                                                                                                                   
test.cert.pem   test.chain.pem                                                                                                                                           
~ $ openssl verify -CAfile test.chain.pem test.cert.pem                                                                                                                  
test.cert.pem: OK                                                                                                                                                        

(Between the cat (which didn't work..) and ls I found the file upload command of that service )

So it's very weird but I don't seem to be able to reproduce your issue. The files look just fine.

I just deleted and reissued the certificate, which gave a me a longer fullchain.pem, but I still get the same error.

I just did the same thing and received the error

How can you get the error when you're using the same files and the same software? That's just plain weird.

Yeah, I don't get it either.

$ openssl verify -CAfile chain.pem cert.pem
cert.pem: C = US, O = Internet Security Research Group, CN = ISRG Root X1
error 2 at 2 depth lookup:unable to get issuer certificate

$ openssl verify -CAfile fullchain.pem cert.pem
cert.pem: C = US, O = Internet Security Research Group, CN = ISRG Root X1
error 2 at 2 depth lookup:unable to get issuer certificate

That's just incorrect. The issuer is R3.

What's the output of openssl x509 -noout -text <cert.pem ?

$ openssl x509 -noout -text <cert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
04:4b:d7:ca:8f:7b:f2:4f:6c:7f:fa:d2:f7:ab:f5:62:51:cb
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let's Encrypt, CN=R3
Validity
Not Before: May 18 16:51:04 2021 GMT
Not After : Aug 16 16:51:04 2021 GMT
Subject: CN=dev.spandesk.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c8:2c:9e:fa:d4:ce:46:55:a2:bf:62:98:3a:fd:
67:15:0f:f0:92:bb:e3:ae:c0:37:bc:63:e8:35:d4:
48:03:5f:c2:29:0f:8d:ec:b7:51:bb:ad:6c:a5:2c:
74:6d:c9:74:29:19:18:a2:9c:53:b3:35:95:05:1d:
03:3d:c6:64:58:57:1c:93:2c:0e:fb:3b:57:62:48:
ab:17:36:ab:7d:af:4c:b1:83:69:aa:51:e5:06:69:
cb:62:c2:d3:c3:2d:8b:05:86:ee:88:57:ec:dd:b5:
d4:33:26:a5:fe:b7:80:81:19:f0:3e:c6:b5:71:9a:
c4:66:f4:7b:e6:2c:f6:4a:34:df:2e:ed:ec:42:b6:
b6:8f:5c:4e:a7:91:b1:b4:9a:36:93:61:82:8e:49:
d7:c9:7d:06:45:e6:0c:47:83:24:5c:c4:5b:3d:d8:
06:fd:2a:16:2f:cd:30:30:26:5e:9f:e3:be:59:1a:
de:16:c4:85:37:23:af:31:e3:30:43:37:8a:f7:7d:
86:12:d9:41:14:54:06:13:6c:a5:19:a2:2f:d4:22:
97:23:37:ca:86:4c:4f:37:86:06:a4:9d:d7:7a:03:
02:63:71:96:b1:37:a3:7f:96:53:17:34:82:fc:26:
8f:e3:08:d5:74:4b:ee:d9:ec:e5:88:0f:79:d1:dc:
6e:8f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
79:34:D0:44:B5:84:C1:F7:4D:FD:E3:94:31:3D:A2:B7:C4:7C:81:9E
X509v3 Authority Key Identifier:
keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6

        Authority Information Access:
            OCSP - URI:http://r3.o.lencr.org
            CA Issuers - URI:http://r3.i.lencr.org/

        X509v3 Subject Alternative Name:
            DNS:dev.spandesk.com
        X509v3 Certificate Policies:
            Policy: 2.23.140.1.2.1
            Policy: 1.3.6.1.4.1.44947.1.1.1
              CPS: http://cps.letsencrypt.org

        CT Precertificate SCTs:
            Signed Certificate Timestamp:
                Version   : v1(0)
                Log ID    : 5C:DC:43:92:FE:E6:AB:45:44:B1:5E:9A:D4:56:E6:10:
                            37:FB:D5:FA:47:DC:A1:73:94:B2:5E:E6:F6:C7:0E:CA
                Timestamp : May 18 17:51:04.840 2021 GMT
                Extensions: none
                Signature : ecdsa-with-SHA256
                            30:45:02:21:00:F3:88:EE:5A:A9:EC:71:C3:4E:90:A6:
                            C8:42:20:5A:23:1C:02:54:1D:CE:F6:39:72:1F:27:A2:
                            37:FF:91:F8:7D:02:20:49:8F:58:3C:76:A1:0B:86:C8:
                            9E:8F:6E:59:F4:94:24:C8:B6:3B:67:05:D5:D6:C4:F7:
                            E6:FB:F3:E4:86:7F:D8
            Signed Certificate Timestamp:
                Version   : v1(0)
                Log ID    : F6:5C:94:2F:D1:77:30:22:14:54:18:08:30:94:56:8E:
                            E3:4D:13:19:33:BF:DF:0C:2F:20:0B:CC:4E:F1:64:E3
                Timestamp : May 18 17:51:04.829 2021 GMT
                Extensions: none
                Signature : ecdsa-with-SHA256
                            30:45:02:21:00:C9:2C:24:AA:BC:0B:0D:95:70:17:B1:
                            27:6B:38:49:17:55:D2:42:6F:9A:9C:CD:1F:19:A4:CE:
                            2E:45:0F:6C:24:02:20:15:6E:25:1B:37:B9:33:78:25:
                            A5:BE:4C:C8:87:9C:7D:A8:42:3C:1B:14:2B:94:82:FC:
                            1E:E9:B4:8D:AF:1E:83
Signature Algorithm: sha256WithRSAEncryption
     74:0e:83:93:bf:e7:82:3d:44:18:74:0e:85:03:9e:ed:44:0d:
     ee:8a:3f:04:cc:bc:27:41:8a:15:dd:21:d7:5b:31:4c:85:76:
     bf:cc:f3:c7:95:31:a7:5d:cd:25:1c:3d:c9:e9:bf:75:a9:bd:
     f0:10:c0:9d:6d:1a:83:f3:34:9d:f1:94:44:7e:10:c7:ed:ee:
     cd:3f:17:1b:b1:92:1b:1b:04:c8:11:79:3d:39:28:21:fb:51:
     a8:33:0e:12:86:ef:ac:a1:c2:13:b8:1f:37:9c:21:37:39:8b:
     29:89:42:29:f5:1a:33:f8:46:b3:42:07:01:44:8e:1f:5a:69:
     bc:b2:55:12:59:c8:24:5e:c2:2f:9a:11:e9:e9:18:d1:e0:22:
     16:a9:bd:b9:ca:0f:cc:b7:4b:2d:32:5f:e8:11:2f:b0:ea:e8:
     31:87:67:cf:12:af:85:5f:c1:de:42:9e:ab:b6:92:3e:24:dd:
     55:c9:be:f0:24:5d:8f:ed:9e:98:45:71:a7:c2:86:4a:d5:2e:
     61:17:3f:bc:0a:c8:6b:4a:28:60:3d:25:f1:89:5f:b2:34:6a:
     22:a2:77:f5:06:19:62:7d:1f:2b:24:1c:86:76:ab:18:2b:0e:
     99:ff:48:d3:3e:30:b7:e7:b4:b4:ec:92:76:70:d0:b9:08:59:
     23:59:1e:3b

Well, maybe someone else has a brilliant idea. I'm out of them.

thanks for all your input

For me it looks like OpenSSL can't fully verify the chain, as it probably has no root certificates. You could see if installing root certs on your machine (e.g ca-certificates package) resolves the issue.

Package ca-certificates-2020.2.41-70.0.amzn2.0.1.noarch already installed and latest version
Nothing to do

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.