Strange problem: openssl verify not working on Proxmox VM, works on a bare metal system

Viktor Dukhovni openssl-users at dukhovni.org
Sat Sep 3 22:07:42 UTC 2022


On Fri, Sep 02, 2022 at 09:42:13PM -0600, Shawn Heisey via openssl-users wrote:

> On an AlmaLinux 8.6 VM hosted in Proxmox:
> 
> [root at certs ~]# openssl verify -CAfile /etc/ssl/certs/local/DOMAIN.wildcards.pem /etc/ssl/certs/local/DOMAIN.wildcards.pem
> C = US, O = Let's Encrypt, CN = R3
> error 2 at 1 depth lookup: unable to get issuer certificate
> error /etc/ssl/certs/local/DOMAIN.wildcards.pem: verification failed

Post the output of:

    $ openssl crl2pkcs7 -nocrl -certfile /etc/ssl/certs/local/DOMAIN.wildcards.pem |
        openssl pkcs7 -print_certs -noout |
        perl -ne 'BEGIN{$/="\n\n\n"} s/\n+/\n/g; print $_, "\n"'

> If I copy the PEM file to a bare metal system running Ubuntu Server 
> 20.04, it verifies:

Note that OpenSSL verify also looks in the default CApath, and this may
vary from system to system.  The results may depend on what's installed
there.

The verify(1) command will attempt to construct a chain to a trusted
root using the specified or default CAfile and CApath.  You should
really be using the "-untrusted" option not the "-CAfile" option:

    # cert=/etc/ssl/certs/local/DOMAIN.wildcards.pem
    # openssl verify -untrusted "$cert" "$cert"

This adds the untrusted intermediate certs from the cert file to
the dataset, without shadowing the default CAfile.

-- 
    Viktor.


More information about the openssl-users mailing list