I am having the same issue on 20.04. After reading this thread, i'm going to put in my responses to your questions to andyrue. If I should open another issue, since its a different OS, that is fine. I found this when i was updating
ocsp files, and ended up getting it down the first command below.
Before you get to the nitty gritty, thanks in advance!
$> openssl verify -CAfile /etc/letsencrypt/live/ukybonds.com/chain.pem /etc/letsencrypt/live/ukybonds.com/cert.pem Results in:
C = US, O = Internet Security Research Group, CN = ISRG Root X1 error 2 at 2 depth lookup: unable to get issuer certificate error /etc/letsencrypt/live/ukybonds.com/cert.pem: verification failed
I am able to run
wget https://letsencrypt.org/certs/isrgrootx1.pem fine.
$> sudo apt install libgnutls30 Reading package lists... Done Building dependency tree Reading state information... Done libgnutls30 is already the newest version (3.6.13-2ubuntu1.6). 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
$> sudo apt install libgnutls-openssl27 Reading package lists... Done Building dependency tree Reading state information... Done libgnutls-openssl27 is already the newest version (3.6.13-2ubuntu1.6). 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
$> ls -l /usr/local/share/ca-certificates/
-- Empty directory
$> ls -l /etc/ssl/certs/ca-certificates.crt -rw-r--r-- 1 root root 199113 Sep 27 17:12 /etc/ssl/certs/ca-certificates.crt
If i use
openssl s_client to read the live certs it works fine, and says that each level is valid
$> openssl s_client -connect www.ukybonds.com:443 -showcerts | openssl x509
verify return:1 depth=1 C = US, O = Let's Encrypt, CN = R3 verify return:1 depth=0 CN = ukybonds.com verify return:1 -- certificate omitted for space --