What is the correct way to openssl verify a recent certificate issued by letsencrypt? I get either
% openssl verify -CAfile chain.pem cert.pem
O = Digital Signature Trust Co., CN = DST Root CA X3
error 10 at 3 depth lookup: certificate has expired
error cert.pem: verification failed
or
openssl verify -CAfile chain.pem cert.pem
C = US, O = Internet Security Research Group, CN = ISRG Root X1
error 2 at 2 depth lookup: unable to get issuer certificate
error cert.pem: verification failed
or
% openssl verify -CAfile /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt fullchain.pem
CN = example.com
error 20 at 0 depth lookup: unable to get local issuer certificate
error fullchain.pem: verification failed
or similar. A web browser seems to have no problem to verify the certificate (using
SSLCertificateFile /etc/ssl/example.com/fullchain.pem
SSLCertificateKeyFile /etc/ssl/example.com/privkey.pem
on the server), so WTH?