Control: tag -1 moreinfo Hi Jonas,
On Sat, 04 Apr 2020 at 20:18:28 +0200, Jonas Smedegaard wrote:
> C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
> error 2 at 1 depth lookup: unable to get issuer certificate
> [live] Error: Received invalid X.509 certificate from ACME server!
This indicates that the received X.509 certificate isn't signed by the
CA specified as ‘CAfile’. More precisely, that
openssl verify -CAfile $CAfile -purpose sslserver -x509_strict
</path/to/cert
has a non-0 exit status. The default value for ‘CAfile’ is the lacme-
provided cross signed chain /usr/share/lacme/lets-encrypt-x3-cross-signed.pem ,
did you perhaps set it to something else? I'm not familiar with
verify(1ssl) error messages but it suggests that the the CA file doesn't
contain the full chain.
Works for me with the default ‘CAfile’ value, at least:
$ curl -s
https://acme-v02.api.letsencrypt.org/acme/cert/036c9c4c3720c2241c7f32cb5920470555db
\
| openssl verify -CAfile
/usr/share/lacme/lets-encrypt-x3-cross-signed.pem -purpose sslserver
-x509_strict
stdin: OK
Does this command work on your system? I've not been able to reproduce
the “error 2 at 1 depth lookup” error, but for a completely different CA
verify(1ssl) fails with:
$ curl -s
https://acme-v02.api.letsencrypt.org/acme/cert/036c9c4c3720c2241c7f32cb5920470555db
\
| openssl verify -CAfile
/usr/share/lacme/lets-encrypt-x1-cross-signed.pem -purpose sslserver
-x509_strict
CN = live.homebase.dk
error 20 at 0 depth lookup: unable to get local issuer certificate
error stdin: verification failed
(Adding --debug will indicate the exact `openssl verify -CAfile …` that
fails.)
--
Guilhem.
signature.asc
Description: PGP signature
