How to verify LE cert using openssl?

What is the correct way to openssl verify a recent certificate issued by letsencrypt? I get either

% openssl verify -CAfile chain.pem cert.pem 
O = Digital Signature Trust Co., CN = DST Root CA X3
error 10 at 3 depth lookup: certificate has expired
error cert.pem: verification failed

or

openssl verify -CAfile chain.pem cert.pem 
C = US, O = Internet Security Research Group, CN = ISRG Root X1
error 2 at 2 depth lookup: unable to get issuer certificate
error cert.pem: verification failed

or

% openssl verify -CAfile /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt fullchain.pem
CN = example.com
error 20 at 0 depth lookup: unable to get local issuer certificate
error fullchain.pem: verification failed

or similar. A web browser seems to have no problem to verify the certificate (using

        SSLCertificateFile    /etc/ssl/example.com/fullchain.pem
        SSLCertificateKeyFile /etc/ssl/example.com/privkey.pem

on the server), so WTH?

I think a more accurate test is:

openssl verify \
-untrusted /etc/ssl/example.com/chain.pem /etc/ssl/example.com/cert.pem

The documentation for untrusted is:

-untrusted file
A file of additional untrusted certificates (intermediate issuer CAs) used to construct a certificate chain from the subject
certificate to a trust-anchor. The file should contain one or more certificates in PEM format. This option can be specified more
than once to include untrusted certificates from multiple files.

Depending on your system, you might also need:

-CAfile /etc/ssl/certs/ca-certificates.crt
4 Likes

Confirmed. Thank you very much for your hint. I missed the "untrusted" option in the man page. Apparently openssl verify ignores all but the first certificate in the fullchain.pem file.

1 Like