Strange problem: openssl verify not working on Proxmox VM, works on a bare metal system

Shawn Heisey openssl at elyograg.org
Mon Sep 5 02:18:16 UTC 2022


On 9/4/22 01:55, Roger James via openssl-users wrote:
> As I mentioned in an earlier post you need version 1.1 or later of 
> openssl to successfully validate post September 30, 2021 Lets Encrypt 
> certificates. The version on your Centos system is 1.0.

The CentOS system was just another VM I ran the test on when I was still 
very confused about what was happening.  It's a basic server install on 
a VM that I power up when I need to try something on that OS without 
risking problems on production servers.

I will not be using any version of CentOS for this.  All my personal 
systems are Ubuntu, but I am restricted to RHEL clones for work -- 
primarily CentOS 7 and AlmaLinux 8.  The VM that I built for this task 
is Alma, which has 1.1.1k.  We haven't qualified our software setup to 
work on Alma 9 yet, so I am avoiding it even for a custom deployment 
like this.

I was finally able to get it to verify on Alma by using -untrusted 
instead of -CAfile, and including additional certificates to complete 
the chain.  I just tried exactly the same thing on CentOS 7 with openssl 
1.0.2k-fips and it verified ... because every certificate needed for the 
verification is supplied to the command.

Many thanks to Victor for the nudge that got me on the right track to 
make it work.  I have become very spoiled by Ubuntu ... when I work on 
RHEL clones, it always takes more effort.

Shawn



More information about the openssl-users mailing list