I gererate a certificate with Letsencrypt using the Certbot container:
$ mkdir /home/$USER/letsencrypt
$ docker run -it --rm -p 80:80 -p 443:443 -v /home/$USER/letsencrypt:/etc/letsencrypt certbot/certbot certonly --standalone --email [email protected] --agree-tos -d example.com
I navigate to the generated certificate:
$ cd /home/$USER/letsencrypt/live/example.com
I can verify chain.pem
:
$ openssl verify chain.pem
chain.pem: OK
And I can see what's in chain.pem
:
$ openssl x509 -noout -in chain.pem -subject -issuer
subject=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
issuer=O = Digital Signature Trust Co., CN = DST Root CA X3
I can't verify cert.pem
(presumably because it needs the chain):
$ openssl verify cert.pem
CN = example.com
error 20 at 0 depth lookup: unable to get local issuer certificate
error cert.pem: verification failed
But I also can't verify fullchain.pem
either:
$ openssl verify fullchain.pem
CN = example.com
error 20 at 0 depth lookup: unable to get local issuer certificate
error fullchain.pem: verification failed
The certificate seems to work in the browser, but is failing in curl
(and an Android http client, which is the real issue):
$ curl https://example.com
curl: (60) SSL certificate problem: unable to get local issuer certificate
I've double-checked that fullchain.pem
is a concatenation of cert.pem
and chain.pem
.
So: I don't understand why fullchain.pem
doesn't verify?
I figured this out from man verify
, reading the description of untrusted
. Turns out untrusted
is actually how you specify the certificate chain of trust (seems counterintuitive when you put it like that).
So, the command you need to verify a Letsencrypt cert is:
openssl verify -untrusted chain.pem cert.pem
Where cert.pem
is your certificate and chain.pem
is the LE intermediate cert. There's no need to use fullchain.pem
for this.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With