Unable to `openssl verify' letsencrypt certificate

Question

I gererate a certificate with Letsencrypt using the Certbot container:

$ mkdir /home/$USER/letsencrypt
$ docker run -it --rm -p 80:80 -p 443:443 -v /home/$USER/letsencrypt:/etc/letsencrypt certbot/certbot certonly --standalone --email [email protected] --agree-tos -d example.com

I navigate to the generated certificate:

$ cd /home/$USER/letsencrypt/live/example.com

I can verify chain.pem:

$ openssl verify chain.pem 
chain.pem: OK

And I can see what's in chain.pem:

$ openssl x509 -noout -in chain.pem -subject -issuer
subject=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
issuer=O = Digital Signature Trust Co., CN = DST Root CA X3

I can't verify cert.pem (presumably because it needs the chain):

$ openssl verify cert.pem
CN = example.com
error 20 at 0 depth lookup: unable to get local issuer certificate
error cert.pem: verification failed

But I also can't verify fullchain.pem either:

$ openssl verify fullchain.pem
CN = example.com
error 20 at 0 depth lookup: unable to get local issuer certificate
error fullchain.pem: verification failed

The certificate seems to work in the browser, but is failing in curl (and an Android http client, which is the real issue):

$ curl https://example.com
curl: (60) SSL certificate problem: unable to get local issuer certificate

I've double-checked that fullchain.pem is a concatenation of cert.pem and chain.pem.

So: I don't understand why fullchain.pem doesn't verify?

Answer 1

I figured this out from man verify, reading the description of untrusted. Turns out untrusted is actually how you specify the certificate chain of trust (seems counterintuitive when you put it like that).

So, the command you need to verify a Letsencrypt cert is:

openssl verify -untrusted chain.pem cert.pem

Where cert.pem is your certificate and chain.pem is the LE intermediate cert. There's no need to use fullchain.pem for this.