Strange problem: openssl verify not working on Proxmox VM, works on a bare metal system

Roger James roger at
Sat Sep 3 19:29:01 UTC 2022

On 3 September 2022 19:26:50 Shawn Heisey via openssl-users 
<openssl-users at> wrote:

> On 9/2/22 21:42, Shawn Heisey via openssl-users wrote:
>> Other bare metal systems and their results with the same PEM file:
>> Verifies on Proxmox (the one running the VM) with openssl 1.1.1n
>> Verifies on Ubuntu 22.04 with openssl 3.0.2
>> Fails on CentOS 7.5.1804 with openssl 1.0.2k-fips
> Additional tests done with an identical PEM file and the results:
> Passed on Ubuntu Server 22.04 VM, openssl 3.0.2, installed on the same
> proxmox host as the Alma VM that fails.
> Passed on Ubuntu 22.04 desktop bare metal, openssl 3.0.2
> Failed on Centos 7 VM running in qemu on that Ubuntu desktop, openssl
> 1.0.2k-fips
> Failed on Fedora35 VM running in qemu on that Ubuntu desktop, openssl 1.1.1q
> Passed on Ubuntu Server 22.04 bare metal, using quictls openssl version
> 3.0.5+quic
> Looks like there is something about RPM-based distros that breaks part
> of openssl.
> One other bit of info.  I ran another test on the Alma VM where I
> compiled the master branch of to
> /usr/local/ossl3 and used that to try the verify. This is the failure
> output:
> [root at certs ~]# /usr/local/bin/ossl verify -CAfile
> /etc/ssl/certs/local/DOMAIN.wildcards.pem
> /etc/ssl/certs/local/DOMAIN.wildcards.pem
> C=US, O=Let's Encrypt, CN=R3
> error 2 at 1 depth lookup: unable to get issuer certificate
> error /etc/ssl/certs/local/DOMAIN.wildcards.pem: verification failed
> [root at certs ~]# /usr/local/bin/ossl version
> OpenSSL 3.1.0-dev  (Library: OpenSSL 3.1.0-dev )
> Thoughts?
> Thanks,
> Shawn
R3 is a lets encrypt intermediate cert. This could be due to the retirement 
of the ISRG X1 certificate last year. I would check that  /etc/ssl/certs or 
wherever the default ca store is on your systems, is up to date.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list