Openssl verify of renewal fails

mlr · November 18, 2019, 7:05pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: access.paradigm4.com

I ran this command:
./certbot-auto certonly --standalone -d access.paradigm4.com

It produced this output:

Congratulations! Your certificate and chain have been saved at:

THEN I RAN

openssl verify -CAfile fullchain.pem cert.pem

cert.pem: C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
error 2 at 1 depth lookup:unable to get issuer certificate

My web server is (include version):
I used “–standalone” so no web server

The operating system my web server runs on is (include version):
CentOS 7.4

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.40.1

rg305 · November 18, 2019, 7:57pm

This should have worked.
Please show those actual file date/time stamps:
ls -l /etc/letsencrypt/archive/<certname>/
[do they match?]

mlr · November 19, 2019, 12:06am

The actual files are:
[root@access access.paradigm4.com]# ls -l *2.pem
-rw-r–r--. 1 root root 1923 Nov 18 12:24 cert2.pem
-rw-r–r--. 1 root root 1647 Nov 18 12:24 chain2.pem
-rw-r–r--. 1 root root 3570 Nov 18 12:24 fullchain2.pem
-rw-------. 1 root root 1704 Nov 18 12:24 privkey2.pem

rg305 · November 19, 2019, 12:10am

try it in that folder:
openssl verify -CAfile fullchain2.pem cert2.pem

mlr · November 19, 2019, 12:41am

root@access access.paradigm4.com]# openssl verify -CAfile fullchain2.pem cert2.
cert2.pem: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
error 2 at 1 depth lookup:unable to get issuer certificate

mlr · November 19, 2019, 1:19am

I’m wondering if there is some ssl or crypt that needs updating?
Any thoughts?

rg305 · November 19, 2019, 1:22am

Try:

yum install -y ca-certificates

Also:

update-ca-trust
update-ca-certificates

schoen · November 19, 2019, 1:23am

If you have or can install strace, you might try

strace -e open openssl verify -CAfile fullchain2.pem cert2.pem

to see whether openssl is successfully checking a local trusted CA bundle (and, if so, which one).

(@rg305’s suggestion may help fix things if, for some reason, this OS doesn’t have such a trusted CA bundle installed.)

rg305 · November 19, 2019, 1:26am

I get:

yum install -y ca-certificates
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirror.mojohost.com
 * epel: d2lzkl7pfhq30w.cloudfront.net
 * extras: mirror.mojohost.com
 * updates: mirror.mojohost.com
Package ca-certificates-2018.2.22-70.0.el7_5.noarch already installed and latest version
Nothing to do

mlr · November 19, 2019, 2:11pm

I don’t see what CA bundle its checking:

[root@vpn-server access.paradigm4.com]# strace -e open openssl verify -CAfile fullchain2.pem cert2.pem
open("/etc/ld.so.cache", O_RDONLY) = 3
open("/usr/lib64/libssl.so.10", O_RDONLY) = 3
open("/lib64/libgssapi_krb5.so.2", O_RDONLY) = 3
open("/lib64/libkrb5.so.3", O_RDONLY) = 3
open("/lib64/libcom_err.so.2", O_RDONLY) = 3
open("/lib64/libk5crypto.so.3", O_RDONLY) = 3
open("/usr/lib64/libcrypto.so.10", O_RDONLY) = 3
open("/lib64/libdl.so.2", O_RDONLY) = 3
open("/lib64/libz.so.1", O_RDONLY) = 3
open("/lib64/libc.so.6", O_RDONLY) = 3
open("/lib64/libkrb5support.so.0", O_RDONLY) = 3
open("/lib64/libkeyutils.so.1", O_RDONLY) = 3
open("/lib64/libresolv.so.2", O_RDONLY) = 3
open("/lib64/libpthread.so.0", O_RDONLY) = 3
open("/lib64/libselinux.so.1", O_RDONLY) = 3
open("/etc/pki/tls/legacy-settings", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/etc/pki/tls/openssl.cnf", O_RDONLY) = 3
open("/proc/meminfo", O_RDONLY|O_CLOEXEC) = 3
open(“fullchain2.pem”, O_RDONLY) = 3
open(“cert2.pem”, O_RDONLY) = 3
cert2.pem: C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
error 2 at 1 depth lookup:unable to get issuer certificate

rg305 · November 19, 2019, 4:33pm

You may have to include -CApath
[but first you have to find that path - lol]

You can also try:
-show_chain

mlr · November 20, 2019, 12:39am

So I copied the cert and fullchain to a computer outside our fire wall and there it checks out OK.
I give up trying to find/install a proper ca-cert on our internal machines.
Now I am going to figure out how to install those certs on our openvpn server even though it can't validate them.

Thank you all for your help. Its taught me several tricks.

rg305 · November 20, 2019, 12:52am

But you did.
[not where you would like to - but they do validate]

mlr · November 20, 2019, 1:18am

So lets close this thread.

Yes they validate but the darn openvpn server won’t install them because it can not validate them.
We know they are valid but openvpn doesn’t.

rg305 · November 20, 2019, 1:21am

Is there an update?

mlr · November 20, 2019, 1:25am

If you mean update on forcing openvpn to take the certs…I’m still working on it.

orangepizza · November 20, 2019, 1:25am

openvpn doesn’t use public cert. it checks validate against CA section of .ovpn(vpn profile)file.

rg305 · November 20, 2019, 1:26am

I meant: Are you running the latest patch?
Is this helpful:

mlr · November 20, 2019, 2:19am

This is openvpn_as and there is no .ovpn file
Thanks for suggesting

mlr · November 20, 2019, 2:21am

Yes thanks. 2.7.4

I went in and hand edited the config.db and put in the newer certs.
That worked. So I’m all set.

Again thanks for your time and for looking.
Its been a big help.