Openssl verify of renewal fails

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: access.paradigm4.com

I ran this command:
./certbot-auto certonly --standalone -d access.paradigm4.com

It produced this output:

  • Congratulations! Your certificate and chain have been saved at:

THEN I RAN

openssl verify -CAfile fullchain.pem cert.pem

cert.pem: C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
error 2 at 1 depth lookup:unable to get issuer certificate

My web server is (include version):
I used “–standalone” so no web server

The operating system my web server runs on is (include version):
CentOS 7.4

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.40.1

This should have worked.
Please show those actual file date/time stamps:
ls -l /etc/letsencrypt/archive/<certname>/
[do they match?]

The actual files are:
[root@access access.paradigm4.com]# ls -l *2.pem
-rw-r–r--. 1 root root 1923 Nov 18 12:24 cert2.pem
-rw-r–r--. 1 root root 1647 Nov 18 12:24 chain2.pem
-rw-r–r--. 1 root root 3570 Nov 18 12:24 fullchain2.pem
-rw-------. 1 root root 1704 Nov 18 12:24 privkey2.pem

try it in that folder:
openssl verify -CAfile fullchain2.pem cert2.pem

root@access access.paradigm4.com]# openssl verify -CAfile fullchain2.pem cert2.
cert2.pem: C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
error 2 at 1 depth lookup:unable to get issuer certificate

I’m wondering if there is some ssl or crypt that needs updating?
Any thoughts?

Try:

yum install -y ca-certificates

Also:

update-ca-trust
update-ca-certificates
1 Like

If you have or can install strace, you might try

strace -e open openssl verify -CAfile fullchain2.pem cert2.pem

to see whether openssl is successfully checking a local trusted CA bundle (and, if so, which one).

(@rg305’s suggestion may help fix things if, for some reason, this OS doesn’t have such a trusted CA bundle installed.)

1 Like

I get:

yum install -y ca-certificates
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirror.mojohost.com
 * epel: d2lzkl7pfhq30w.cloudfront.net
 * extras: mirror.mojohost.com
 * updates: mirror.mojohost.com
Package ca-certificates-2018.2.22-70.0.el7_5.noarch already installed and latest version
Nothing to do

I don’t see what CA bundle its checking:

[root@vpn-server access.paradigm4.com]# strace -e open openssl verify -CAfile fullchain2.pem cert2.pem
open("/etc/ld.so.cache", O_RDONLY) = 3
open("/usr/lib64/libssl.so.10", O_RDONLY) = 3
open("/lib64/libgssapi_krb5.so.2", O_RDONLY) = 3
open("/lib64/libkrb5.so.3", O_RDONLY) = 3
open("/lib64/libcom_err.so.2", O_RDONLY) = 3
open("/lib64/libk5crypto.so.3", O_RDONLY) = 3
open("/usr/lib64/libcrypto.so.10", O_RDONLY) = 3
open("/lib64/libdl.so.2", O_RDONLY) = 3
open("/lib64/libz.so.1", O_RDONLY) = 3
open("/lib64/libc.so.6", O_RDONLY) = 3
open("/lib64/libkrb5support.so.0", O_RDONLY) = 3
open("/lib64/libkeyutils.so.1", O_RDONLY) = 3
open("/lib64/libresolv.so.2", O_RDONLY) = 3
open("/lib64/libpthread.so.0", O_RDONLY) = 3
open("/lib64/libselinux.so.1", O_RDONLY) = 3
open("/etc/pki/tls/legacy-settings", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/etc/pki/tls/openssl.cnf", O_RDONLY) = 3
open("/proc/meminfo", O_RDONLY|O_CLOEXEC) = 3
open(“fullchain2.pem”, O_RDONLY) = 3
open(“cert2.pem”, O_RDONLY) = 3
cert2.pem: C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
error 2 at 1 depth lookup:unable to get issuer certificate

You may have to include -CApath
[but first you have to find that path - lol]

You can also try:
-show_chain

So I copied the cert and fullchain to a computer outside our fire wall and there it checks out OK.
I give up trying to find/install a proper ca-cert on our internal machines.
Now I am going to figure out how to install those certs on our openvpn server even though it can’t validate them.

Thank you all for your help. Its taught me several tricks.

But you did.
[not where you would like to - but they do validate]

So lets close this thread.

Yes they validate but the darn openvpn server won’t install them because it can not validate them.
We know they are valid but openvpn doesn’t.

Is there an update?

If you mean update on forcing openvpn to take the certs…I’m still working on it.

openvpn doesn’t use public cert. it checks validate against CA section of .ovpn(vpn profile)file.

I meant: Are you running the latest patch?
Is this helpful:

This is openvpn_as and there is no .ovpn file
Thanks for suggesting

Yes thanks. 2.7.4

I went in and hand edited the config.db and put in the newer certs.
That worked. So I’m all set.

Again thanks for your time and for looking.
Its been a big help.

1 Like