Unable to verify fullchain.pem

Hi,

Since my latest certificate renewal I'm getting issues with intermediate certificates.

I first noticed it when fetchmail started complaining of :

fetchmail: webbox.itbox.co.za key fingerprint: 32:EE:04:9A:99:7E:E5:A9:22:BB:F6:24:1D:7F:18:D1
fetchmail: webbox.itbox.co.za fingerprints match.
fetchmail: Server certificate verification error: unable to get local issuer certificate
fetchmail: Broken certification chain at: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

Trying to verify the certificates on the server says:

root@webbox:~# openssl verify /etc/letsencrypt/live/www.analize.co.za/cert.pem
CN = www.analize.co.za
error 20 at 0 depth lookup: unable to get local issuer certificate
error /etc/letsencrypt/live/www.analize.co.za/cert.pem: verification failed

root@webbox:~# openssl verify /etc/letsencrypt/live/www.analize.co.za/fullchain.pem
CN = www.analize.co.za
error 20 at 0 depth lookup: unable to get local issuer certificate
error /etc/letsencrypt/live/www.analize.co.za/fullchain.pem: verification failed

My domain is: www.analize.co.za

I ran this command:

openssl verify /etc/letsencrypt/live/www.analize.co.za/fullchain.pem

It produced this output:

CN = www.analize.co.za
error 20 at 0 depth lookup: unable to get local issuer certificate
error /etc/letsencrypt/live/www.analize.co.za/fullchain.pem: verification failed

Browsing the web sites on the server seems fine.

My web server is (include version): Apache 2.4.25-3+deb9u9

The operating system my web server runs on is (include version): Debian 9

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.9.0

Where did you get the command syntax for openssl verify ?
I have never seen it being used this way.
Furthermore, when I try doing that against a know working cert, it shows the same error message.

I don't think you are using that command properly.
`

Thanks for the input. Perhaps I'm looking at this wrong. I think my renewal hooks got mixed up with the latest upgrade to certbot.

I think it's likely the case that one of your SSL-protected mail services doesn't have a full certificate chain.

For example, that is the case for port 995 (POP3S). You have only configured the certificate (cert.pem) rather than the full certificate chain (fullchain.pem).

On a properly configured server, the below would show 2 certificates (the leaf certificate + the intermediate). In your case below, there's only the leaf certificate:

$ openssl s_client -connect webbox.itbox.co.za:995 -showcerts | openssl x509
depth=0 CN = www.analize.co.za
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = www.analize.co.za
verify error:num=21:unable to verify the first certificate
verify return:1
-----BEGIN CERTIFICATE-----
MIIFlTCCBH2gAwIBAgISA3pCO8f3qMQgrSME/iLH5peZMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDExMjcxMDQ4MDZaFw0y
MTAyMjUxMDQ4MDZaMBwxGjAYBgNVBAMTEXd3dy5hbmFsaXplLmNvLnphMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvNQV1SoTLh1LgLWs5hs9fqULoASx
sHA5MvcZhc984vdpzriSCrfb+jYI5AAESHSG5F5FWdGIs2+2IxcvtFNpfbd0JP/N
vgtq8r2HQ0h6guefN2xnY5zLynwfi6pX6QvX3FIT1FAffNh+gpNJsDwD1HWam29a
GtaxnDWjbTEXjKQvMgdLMcIS5ORLxLMP2LxPFB4KP30Y+dSxCkihVmed8DGJDufV
k5TxL02Jw7+aPvMDcemVJFvu2FvzLXenKw4CNKAYBY1XxGlSu67swtoIxQ8acMuc
iuyNyVTYDobSku28OR83d0wG6jjnatMZyTD/xnvqqM3cYKCjlD15H9DdpwIDAQAB
o4ICoTCCAp0wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQAcZvc0Bzrmf36ahUPP//N
0PL+WDAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcB
AQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlw
dC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlw
dC5vcmcvMFcGA1UdEQRQME6CEndlYmJveC5pdGJveC5jby56YYIRd3d3LmFuYWxp
emUuY28uemGCFHd3dy5ob25pbmdrbGlwLmNvLnphgg93d3cuaXRib3guY28uemEw
TAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcC
ARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEEBgorBgEEAdZ5AgQCBIH1
BIHyAPAAdwBElGUusO7Or8RAB9io/ijA2uaCvtjLMbU/0zOWtbaBqAAAAXYJiCVY
AAAEAwBIMEYCIQD7TNymjUqozdHzWr2rdpenZrifPnUNq+7YmFmeA4YChAIhAIL8
3+CK5yZTbZkJFflXs06/BwE29JE3HPaPPMpdl+vKAHUA9lyUL9F3MCIUVBgIMJRW
juNNExkzv98MLyALzE7xZOMAAAF2CYglaQAABAMARjBEAiBv1NgByPoOv1zl8pPd
ZpRYbPAnEbtm1MHedqG4FTgHxAIgJPRAqw+p2KTBTHtu4EdIEHwaXEUzDVsYS2DO
nPVywnMwDQYJKoZIhvcNAQELBQADggEBAIguR9YlWmf9JrolGMdddMpvo4BpznHe
1EdEwbRg1TrIOaf/omVmPD3up+t0h/gSTICyM1CFrMT/e/BcFXiEWHafwoVAb+g8
61J+6uaMBNHAUzHVhtY4azDzsY5gjoIzdep12BcpckdVQX8fcrJCorASKCONMPaw
7XceEbQ0TJkcDVZiv/W2oQItUYh7znsXmNLVS+A6c45T8/LEdJuK7hu5HHnzwt9p
d7/cpntYaBkeHoTyWN6yQQ3xNchn8aut7Wa93BbKGfGaRzFHWIe+JTkdZJwbAhPT
7AMeRotJRhC/ivDhm8X2Dw/jsOn9lK+NQHQ306S5qNmrykehbWze8QM=
-----END CERTIFICATE-----

Try this instead:

openssl verify -CAfile /etc/letsencrypt/live/www.analize.co.za/chain.pem /etc/letsencrypt/live/www.analize.co.za/cert.pem

OK that seems fine. I'll have to figure out how I made the pop3 certificate. There was a hook for that but it appears to have vanished.

Name:    webbox.itbox.co.za
Address:  169.239.183.57
Aliases:  www.analize.co.za

openssl s_client -connect www.analize.co.za:995 -showcerts | openssl x509
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = www.analize.co.za
verify return:1
-----BEGIN CERTIFICATE-----
MIIFlTCCBH2gAwIBAgISA3pCO8f3qMQgrSME/iLH5peZMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDExMjcxMDQ4MDZaFw0y
MTAyMjUxMDQ4MDZaMBwxGjAYBgNVBAMTEXd3dy5hbmFsaXplLmNvLnphMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvNQV1SoTLh1LgLWs5hs9fqULoASx
sHA5MvcZhc984vdpzriSCrfb+jYI5AAESHSG5F5FWdGIs2+2IxcvtFNpfbd0JP/N
vgtq8r2HQ0h6guefN2xnY5zLynwfi6pX6QvX3FIT1FAffNh+gpNJsDwD1HWam29a
GtaxnDWjbTEXjKQvMgdLMcIS5ORLxLMP2LxPFB4KP30Y+dSxCkihVmed8DGJDufV
k5TxL02Jw7+aPvMDcemVJFvu2FvzLXenKw4CNKAYBY1XxGlSu67swtoIxQ8acMuc
iuyNyVTYDobSku28OR83d0wG6jjnatMZyTD/xnvqqM3cYKCjlD15H9DdpwIDAQAB
o4ICoTCCAp0wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQAcZvc0Bzrmf36ahUPP//N
0PL+WDAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcB
AQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlw
dC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlw
dC5vcmcvMFcGA1UdEQRQME6CEndlYmJveC5pdGJveC5jby56YYIRd3d3LmFuYWxp
emUuY28uemGCFHd3dy5ob25pbmdrbGlwLmNvLnphgg93d3cuaXRib3guY28uemEw
TAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcC
ARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEEBgorBgEEAdZ5AgQCBIH1
BIHyAPAAdwBElGUusO7Or8RAB9io/ijA2uaCvtjLMbU/0zOWtbaBqAAAAXYJiCVY
AAAEAwBIMEYCIQD7TNymjUqozdHzWr2rdpenZrifPnUNq+7YmFmeA4YChAIhAIL8
3+CK5yZTbZkJFflXs06/BwE29JE3HPaPPMpdl+vKAHUA9lyUL9F3MCIUVBgIMJRW
juNNExkzv98MLyALzE7xZOMAAAF2CYglaQAABAMARjBEAiBv1NgByPoOv1zl8pPd
ZpRYbPAnEbtm1MHedqG4FTgHxAIgJPRAqw+p2KTBTHtu4EdIEHwaXEUzDVsYS2DO
nPVywnMwDQYJKoZIhvcNAQELBQADggEBAIguR9YlWmf9JrolGMdddMpvo4BpznHe
1EdEwbRg1TrIOaf/omVmPD3up+t0h/gSTICyM1CFrMT/e/BcFXiEWHafwoVAb+g8
61J+6uaMBNHAUzHVhtY4azDzsY5gjoIzdep12BcpckdVQX8fcrJCorASKCONMPaw
7XceEbQ0TJkcDVZiv/W2oQItUYh7znsXmNLVS+A6c45T8/LEdJuK7hu5HHnzwt9p
d7/cpntYaBkeHoTyWN6yQQ3xNchn8aut7Wa93BbKGfGaRzFHWIe+JTkdZJwbAhPT
7AMeRotJRhC/ivDhm8X2Dw/jsOn9lK+NQHQ306S5qNmrykehbWze8QM=
-----END CERTIFICATE-----

This part has me confused:

image419×522 12.6 KB

Unless he already fixed the problem...

I Think I did. Thanks for the help.

I can't find a working example of this

OK, I do see more than one cert.
But instead of doing this:

Just shorten that to:
openssl s_client -connect webbox.itbox.co.za:995 -showcerts

Yes, you are right, the additional certificates get truncated with the second command.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.