Strange problem: openssl verify not working on Proxmox VM, works on a bare metal system
Shawn Heisey
openssl at elyograg.org
Sat Sep 3 18:26:12 UTC 2022
On 9/2/22 21:42, Shawn Heisey via openssl-users wrote:
> Other bare metal systems and their results with the same PEM file:
>
> Verifies on Proxmox (the one running the VM) with openssl 1.1.1n
> Verifies on Ubuntu 22.04 with openssl 3.0.2
> Fails on CentOS 7.5.1804 with openssl 1.0.2k-fips
Additional tests done with an identical PEM file and the results:
Passed on Ubuntu Server 22.04 VM, openssl 3.0.2, installed on the same
proxmox host as the Alma VM that fails.
Passed on Ubuntu 22.04 desktop bare metal, openssl 3.0.2
Failed on Centos 7 VM running in qemu on that Ubuntu desktop, openssl
1.0.2k-fips
Failed on Fedora35 VM running in qemu on that Ubuntu desktop, openssl 1.1.1q
Passed on Ubuntu Server 22.04 bare metal, using quictls openssl version
3.0.5+quic
Looks like there is something about RPM-based distros that breaks part
of openssl.
One other bit of info. I ran another test on the Alma VM where I
compiled the master branch of https://github.com/openssl/openssl to
/usr/local/ossl3 and used that to try the verify. This is the failure
output:
[root at certs ~]# /usr/local/bin/ossl verify -CAfile
/etc/ssl/certs/local/DOMAIN.wildcards.pem
/etc/ssl/certs/local/DOMAIN.wildcards.pem
C=US, O=Let's Encrypt, CN=R3
error 2 at 1 depth lookup: unable to get issuer certificate
error /etc/ssl/certs/local/DOMAIN.wildcards.pem: verification failed
[root at certs ~]# /usr/local/bin/ossl version
OpenSSL 3.1.0-dev (Library: OpenSSL 3.1.0-dev )
Thoughts?
Thanks,
Shawn
More information about the openssl-users
mailing list