What is the correct way to openssl verify a recent certificate issued by letsencrypt? I get either
% openssl verify -CAfile chain.pem cert.pem O = Digital Signature Trust Co., CN = DST Root CA X3 error 10 at 3 depth lookup: certificate has expired error cert.pem: verification failed
openssl verify -CAfile chain.pem cert.pem C = US, O = Internet Security Research Group, CN = ISRG Root X1 error 2 at 2 depth lookup: unable to get issuer certificate error cert.pem: verification failed
% openssl verify -CAfile /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt fullchain.pem CN = example.com error 20 at 0 depth lookup: unable to get local issuer certificate error fullchain.pem: verification failed
or similar. A web browser seems to have no problem to verify the certificate (using
SSLCertificateFile /etc/ssl/example.com/fullchain.pem SSLCertificateKeyFile /etc/ssl/example.com/privkey.pem
on the server), so WTH?