I am having the same issue on 20.04. After reading this thread, i'm going to put in my responses to your questions to andyrue. If I should open another issue, since its a different OS, that is fine. I found this when i was updating ocsp
files, and ended up getting it down the first command below.
Before you get to the nitty gritty, thanks in advance!
$> openssl verify -CAfile /etc/letsencrypt/live/ukybonds.com/chain.pem /etc/letsencrypt/live/ukybonds.com/cert.pem
Results in:
C = US, O = Internet Security Research Group, CN = ISRG Root X1
error 2 at 2 depth lookup: unable to get issuer certificate
error /etc/letsencrypt/live/ukybonds.com/cert.pem: verification failed
I am able to run wget https://letsencrypt.org/certs/isrgrootx1.pem
fine.
$> sudo apt install libgnutls30
Reading package lists... Done
Building dependency tree
Reading state information... Done
libgnutls30 is already the newest version (3.6.13-2ubuntu1.6).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
$> sudo apt install libgnutls-openssl27
Reading package lists... Done
Building dependency tree
Reading state information... Done
libgnutls-openssl27 is already the newest version (3.6.13-2ubuntu1.6).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
$> ls -l /usr/local/share/ca-certificates/
-- Empty directory
$> ls -l /etc/ssl/certs/ca-certificates.crt
-rw-r--r-- 1 root root 199113 Sep 27 17:12 /etc/ssl/certs/ca-certificates.crt
If i use openssl s_client
to read the live certs it works fine, and says that each level is valid
$> openssl s_client -connect www.ukybonds.com:443 -showcerts | openssl x509
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = ukybonds.com
verify return:1
-- certificate omitted for space --