Control: tag -1 moreinfo Hi Jonas,
On Sat, 04 Apr 2020 at 20:18:28 +0200, Jonas Smedegaard wrote: > C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 > error 2 at 1 depth lookup: unable to get issuer certificate > [live] Error: Received invalid X.509 certificate from ACME server! This indicates that the received X.509 certificate isn't signed by the CA specified as ‘CAfile’. More precisely, that openssl verify -CAfile $CAfile -purpose sslserver -x509_strict </path/to/cert has a non-0 exit status. The default value for ‘CAfile’ is the lacme- provided cross signed chain /usr/share/lacme/lets-encrypt-x3-cross-signed.pem , did you perhaps set it to something else? I'm not familiar with verify(1ssl) error messages but it suggests that the the CA file doesn't contain the full chain. Works for me with the default ‘CAfile’ value, at least: $ curl -s https://acme-v02.api.letsencrypt.org/acme/cert/036c9c4c3720c2241c7f32cb5920470555db \ | openssl verify -CAfile /usr/share/lacme/lets-encrypt-x3-cross-signed.pem -purpose sslserver -x509_strict stdin: OK Does this command work on your system? I've not been able to reproduce the “error 2 at 1 depth lookup” error, but for a completely different CA verify(1ssl) fails with: $ curl -s https://acme-v02.api.letsencrypt.org/acme/cert/036c9c4c3720c2241c7f32cb5920470555db \ | openssl verify -CAfile /usr/share/lacme/lets-encrypt-x1-cross-signed.pem -purpose sslserver -x509_strict CN = live.homebase.dk error 20 at 0 depth lookup: unable to get local issuer certificate error stdin: verification failed (Adding --debug will indicate the exact `openssl verify -CAfile …` that fails.) -- Guilhem.
signature.asc
Description: PGP signature