You are not logged in.
LetsEncrypt has rolled out new intermediates to replace the old ones and as a result when I renewed one of my certs yesterday I got a new intermediate (R10). However I'm not able to verify the new certificate like I was the old ones and I'm a bit stumped what I'm missing:
I would think having trust on the LetsEncrypt root certificates should be enough but perhaps something else is going on with my certs. Verifying an older R3 cert works fine:
% sudo openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt -untrusted ocplab.com.intermediate.crt ocplab.com.pem
ocplab.com.pem: OKBut the new R10 one fails:
$ sudo openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt -untrusted sso.ocplab.com.intermediate.crt sso.ocplab.com.pem
CN=sso.ocplab.com
error 20 at 0 depth lookup: unable to get local issuer certificate
error sso.ocplab.com.pem: verification failedAnd the trust store has both LetsEncrypt root CAs in it:
sudo trust list | grep -i iSRG
label: ISRG Root X1
label: ISRG Root X2But no intermediates which I think is expected since you should only need the root certs. I'm not seeing any obvious differences between the certs either other then the intermediate.
Any pointers on what I'm missing or how to troubleshoot this further?
[Solved[ My automation was not updating the intermediate certificate and it was still the R3 one hence verification failed. Manually downloading the R10 certificate and validating against that works fine.
Last edited by gnunn (2024-07-17 15:14:04)
Offline