I gererate a certificate with Letsencrypt using the Certbot container:
$ mkdir /home/$USER/letsencrypt
$ docker run -it --rm -p 80:80 -p 443:443 -v /home/$USER/letsencrypt:/etc/letsencrypt certbot/certbot certonly --standalone --email user@example.com --agree-tos -d example.com
I navigate to the generated certificate:
$ cd /home/$USER/letsencrypt/live/example.com
I can verify chain.pem
:
$ openssl verify chain.pem
chain.pem: OK
And I can see what's in chain.pem
:
$ openssl x509 -noout -in chain.pem -subject -issuer
subject=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
issuer=O = Digital Signature Trust Co., CN = DST Root CA X3
I can't verify cert.pem
(presumably because it needs the chain):
$ openssl verify cert.pem
CN = example.com
error 20 at 0 depth lookup: unable to get local issuer certificate
error cert.pem: verification failed
But I also can't verify fullchain.pem
either:
$ openssl verify fullchain.pem
CN = example.com
error 20 at 0 depth lookup: unable to get local issuer certificate
error fullchain.pem: verification failed
The certificate seems to work in the browser, but is failing in curl
(and an Android http client, which is the real issue):
$ curl https://example.com
curl: (60) SSL certificate problem: unable to get local issuer certificate
I've double-checked that fullchain.pem
is a concatenation of cert.pem
and chain.pem
.
So: I don't understand why fullchain.pem
doesn't verify?
I figured this out from man verify
, reading the description of untrusted
. Turns out untrusted
is actually how you specify the certificate chain of trust (seems counterintuitive when you put it like that).
So, the command you need to verify a Letsencrypt cert is:
openssl verify -untrusted chain.pem cert.pem
Where cert.pem
is your certificate and chain.pem
is the LE intermediate cert. There's no need to use fullchain.pem
for this.
I was struggling with the same issue for 3 days. But the error was a result of a configuration error in the in my Apache configuration.
I found out by Command openssl s_client -connect advertentiekracht.nl:443 returned:
Certificate chain
0 s:/CN=advertentiekracht.nl
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
inclusive the "Unable to get local issuer certificate"
Command : [root@srv ssl]# openssl x509 -noout -in /etc/letsencrypt/live/advertentiekracht.nl/chain.pem -subject -issuer showed the missing chain:
subject= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3
I am certainly not familiar with openssl and certificates. There certainly can be a lot of reasons leading to "Unable to get local issuer certificate. But before you start digging like I did, check your http server configuration . For me that is Apache. I had typos in the where the SSL certificate hocus pocus is defined. The httpd toke the erroneous lines below
SSLCertificateFile /etc/letsencrypt/live/advertentiekracht.nl/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/advertentiekracht.nl/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
Mind the first line SSLCertificateFile shoud be SSLCertificateChainFile, and I missed the references to the cert.pem and the chain.pem. The lines below solved my problem:
SSLCertificateChainFile /etc/letsencrypt/live/advertentiekracht.nl/fullchain.pem
SSLCertificateFile /etc/letsencrypt/live/advertentiekracht.nl/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/advertentiekracht.nl/chain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/advertentiekracht.nl/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
Result, a complete chain:
Certificate chain
0 s:/CN=advertentiekracht.nl
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
Counterintuitively, I finally got openssl verify
to work by adding the root certificate to the chain. It feels like the Letsencrypt CA should already be available, so I'm not convinced this is the right thing to do (and would welcome comments).
The steps were:
ca.pem
) Concatenate the root to the chain:
$ ca.pem fullchain.pem > cachain.pem
Then verify:
$ openssl verify cachain.pem
cachain.pem: OK
This feels "wrong" so I'd like to understand whether this is a false positive.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.