Autorità di certificazione per questo certificato non è autorizzato a rilasciare un certificato con questo nome

Question

Autorità di certificazione per questo certificato non è autorizzato a rilasciare un certificato con questo nome

#1 da (2 voti)
#2 da (1 voti)

0

Ho installato un'autorità di certificazione privata (CA), in cui dispongo di una "CA radice" e "CA intermedio" per la firma dei certificati del sito Web e un certificato generato per il mio sito web. Ho aggiunto il mio 'Root CA' a Firefox e Chromium. Entrambi i browser Web non riescono a convalidare la catena di certificati (Firefox dice SEC_ERROR_CERT_NOT_IN_NAME_SPACE ); Tuttavia, openssl verify dice che la catena è OK . Ho seguito le istruzioni del "Libro di cucina Openssl" di Ivan Ristić durante la configurazione di questa autorità di certificazione (se questo aiuta).

La CA radice:

$ cat root-ca.crt.pem
certificate:
Data:
    Version: 3 (0x2)
    Serial Number:
        14:91:ff:c0:24:c9:7f:5b:ae:26:0d:e8:5f:bd:5d:cc
Signature Algorithm: sha512WithRSAEncryption
    Issuer: C=ME, O=OpSec, CN=Root CA
    Validity
        Not Before: Jun 19 13:46:50 2018 GMT
        Not After : Jun 18 13:46:50 2028 GMT
    Subject: C=ME, O=OpSec, CN=Root CA
    Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
            Public-Key: (4096 bit)
            Modulus:
                00:be:ff:07:60:f1:04:1a:5b:6c:3f:4d:90:24:e3:
                ...
                0f:07:4b
            Exponent: 65537 (0x10001)
    X509v3 extensions:
        X509v3 Basic Constraints: critical
            CA:TRUE
        X509v3 Key Usage: critical
            Certificate Sign, CRL Sign
        X509v3 Subject Key Identifier:
            B6:28:5C:B9:29:E0:18:05:A7:BD:5F:85:69:52:B2:F1:15:DA:5F:47
Signature Algorithm: sha512WithRSAEncryption
     8b:8a:dc:8e:62:b3:71:0b:ed:74:7a:50:f3:11:81:19:06:9d:
     ...
     db:15:e7:52:0b:16:46:74
-----BEGIN CERTIFICATE-----
MIIFKjCCAxKgAwIBAgIQFJH/wCTJf1uuJg3oX71dzDANBgkqhkiG9w0BAQ0FADAv
...
pu054FZ6DpQKWUK6JhmlsSrtpB+iLdsV51ILFkZ0
-----END CERTIFICATE-----

La CA intermedia / sub:

$ cat www-sub-ca.crt.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            14:91:ff:c0:24:c9:7f:5b:ae:26:0d:e8:5f:bd:5d:d0
    Signature Algorithm: sha512WithRSAEncryption
        Issuer: C=ME, O=OpSec, CN=Root CA
        Validity
            Not Before: Jul  2 15:45:21 2018 GMT
            Not After : Jul  1 15:45:21 2028 GMT
        Subject: C=ME, O=OpSec, CN=WWW Sub CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:f3:fa:a6:60:04:d0:2d:3a:12:9a:d5:f1:a0:77:
                    ...
                    cd:a4:47
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            Authority Information Access: 
                CA Issuers - URI:http://root-ca.saltycybernaut.net/root-ca.crt
                OCSP - URI:http://ocsp.root-ca.saltycybernaut.net:9080

            X509v3 Authority Key Identifier: 
                keyid:B6:28:5C:B9:29:E0:18:05:A7:BD:5F:85:69:52:B2:F1:15:DA:5F:47

            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://root-ca.saltycybernaut.net/root-ca.crl

            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, TLS Web Server Authentication
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Name Constraints: 
                Permitted:
                  DNS:saltycybernaut.net
                Excluded:
                  IP:0.0.0.0/0.0.0.0
                  IP:0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0

            X509v3 Subject Key Identifier: 
                04:1D:DD:EF:DF:0B:D8:F8:5D:80:9B:93:63:60:07:F3:EB:4A:D7:17
    Signature Algorithm: sha512WithRSAEncryption
         4b:0c:c6:60:38:b8:ba:48:44:83:b8:5d:98:69:5a:41:92:3f:
         ...
         1f:1c:80:cb:f4:1c:e1:ff
-----BEGIN CERTIFICATE-----
MIIGjjCCBHagAwIBAgIQFJH/wCTJf1uuJg3oX71d0DANBgkqhkiG9w0BAQ0FADAv
...
4f8=
-----END CERTIFICATE-----

Il certificato del sito web:

$ cat website.crt.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            25:31:18:97:4b:ab:09:b2:7b:40:d9:8c:d4:47:0c:8f
    Signature Algorithm: sha512WithRSAEncryption
        Issuer: C=ME, O=OpSec, CN=WWW Sub CA
        Validity
            Not Before: Jul  2 15:48:29 2018 GMT
            Not After : Jul  2 15:48:29 2019 GMT
        Subject: C=ME, O=OpSec, OU=Website Division, CN=faraday.saltycybernaut.net
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:cb:ef:7f:75:56:a0:ff:59:75:44:cb:5d:0c:da:
                    ...
                    51:cd:19
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            Authority Information Access: 
                CA Issuers - URI:http://www-sub-ca.saltycybernaut.net/www-sub-ca.crt
                OCSP - URI:http://ocsp.www-sub-ca.saltycybernaut.net:9081

            X509v3 Authority Key Identifier: 
                keyid:04:1D:DD:EF:DF:0B:D8:F8:5D:80:9B:93:63:60:07:F3:EB:4A:D7:17

            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://www-sub-ca.saltycybernaut.net/www-sub-ca.crl

            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, TLS Web Server Authentication
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Subject Key Identifier: 
                D5:A2:F6:6A:75:19:36:F9:9B:DE:85:99:02:E1:25:1F:B7:63:52:18
            X509v3 Subject Alternative Name: 
                DNS:faraday.saltycybernaut.net, IP Address:10.8.1.1
    Signature Algorithm: sha512WithRSAEncryption
         8b:d4:b6:73:48:ca:9c:8f:4c:26:e0:74:10:2d:e1:4e:f3:e9:
         ...
         29:5a:36:7d:f9:68:63:c7
-----BEGIN CERTIFICATE-----
MIIGnTCCBIWgAwIBAgIQJTEYl0urCbJ7QNmM1EcMjzANBgkqhkiG9w0BAQ0FADAy
   HxR+hl3vUFbAKVo2ffloY8c=
-----END CERTIFICATE-----

La catena completa che il sito Web fornisce ai client di connessione:

$ cat fullchain.crt.pem                                            
-----BEGIN CERTIFICATE-----                    
MIIFKjCCAxKgAwIBAgIQFJH/wCTJf1uuJg3oX71dzDANBgkqhkiG9w0BAQ0FADAv                               
MQswCQYDVQQGEwJNRTEOMAwGA1UECgwFT3BTZWMxEDAOBgNVBAMMB1Jvb3QgQ0Ew                               
HhcNMTgwNjE5MTM0NjUwWhcNMjgwNjE4MTM0NjUwWjAvMQswCQYDVQQGEwJNRTEO                               
MAwGA1UECgwFT3BTZWMxEDAOBgNVBAMMB1Jvb3QgQ0EwggIiMA0GCSqGSIb3DQEB                               
AQUAA4ICDwAwggIKAoICAQC+/wdg8QQaW2w/TZAk4yX9n0pkD5GcrSJR/hHRzbLO                               
eFB81CdcZFvwUFsjhhF/rjALZXE6dwJ8jazztktOkuhYTFAnH0GTyu8x+hzucEY7                               
G4QvIPMPU/eVvBHTre5RrHFtiaf9wmcMeI4cPHvpZng+JIT4eprGxXLR79pStGIT                               
+20kk5LILryM/67paF6B0XzCGtu0a28MJeZd3W5oS41ldfxzmtzCAGQfmAXaB7bW                               
ttzj6K3tVv2brfBT4UufUkwqnMyrAJBeDwMk/m2xwWzq2CdXMqQhtZahtmmAWKWb                               
GbZaK4WVb59/hIUD4Wb7Q/StT3b8QaEqtruoKCBqlbF7TZsmgt3dbS5ky3uNg9NJ                               
WcQ4eyledpM1c42hGn0h8dp36B7KXingvKCxfCb4yX7r+1nXSkM9zyZX/nyCZTfb                               
YRJMy3OXB8PQ0e84aeQmQtjr1PolnRb0ETrJjmb1z+lOjze+C/kp/UNplUVillqZ                               
oEayZiEHgKNBH8m/XZhg4svTt3gN5BWimFKG0JSQA30ZMtBDqrnuqHLagao/+DFG                               
5/5PRiYGxDbwFrybGw7JuF6WShd2vEDApDqSqiuYYA4RKd7Vp8Rk8H1k/n1UliuO                               
yXwJQfV+cgnG5/ligelU4BFVyAKskXLXv9yseN+a51fU6s/8hPWXyyCq/Eo6ow8H                               
SwIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV                               
HQ4EFgQUtihcuSngGAWnvV+FaVKy8RXaX0cwDQYJKoZIhvcNAQENBQADggIBAIuK                               
3I5is3EL7XR6UPMRgRkGnfcxmoc2R4qbmbKX+Dkjcku4Rh6XT46aPGlr3whOyZvK                               
qOjb9vpRg281jFMFswJ1bIZ/5GBiI4waJBsIiRAL51DeGI8QB9AKi8YmoyG+j35U                               
vbsJmot+oa0M1l0fZLojsSsEX5bIjg3+dZvErpB5xLRqu4g3hL/Lwgevqe1drNxz                               
4eXQQYa7C2jAJHOmlkY5G1MLAga0foFS/xekpRCL71CYu/EQ0ycDVQ8Q+aM6hwDB                               
K/SaZ4RcIfLwA8GitH7R9svPeBQMvjs6cSpfmjdJWBw/yybrwIsZRcWaFy1Sd2DU                               
vnGGCAYrRcc2F+e979an7nlEirG25xo+reW7pry2WQa4UevV/NHGrP1/PTD0GKo8                               
3KD6rp04T1Ynru+M8xRKtkdja15SEVidwNgL7K8ipQqnAGrWGD63EuvuaPPVTf6V                               
eJFpXtIPWCAxdd0jVB1vNdirlEqW2nZPSu0BvQogNIowN0S7yxVeYPHI8iFhmQl0                               
TQPu+4b9bX0nOktCsYFNXRnwp6QmjifwyXTylKW5Lt8qPSFgXpsNw08bNTHTytpY                               
LGaZTlg36Z3NE2CGzVdGIHxEHuzokmXkmDrtkzFvbYCFpFq2PFC7QhXtHrxrMlMd                               
pu054FZ6DpQKWUK6JhmlsSrtpB+iLdsV51ILFkZ0       
-----END CERTIFICATE-----                      
-----BEGIN CERTIFICATE-----                    
MIIGjjCCBHagAwIBAgIQFJH/wCTJf1uuJg3oX71d0DANBgkqhkiG9w0BAQ0FADAv                               
MQswCQYDVQQGEwJNRTEOMAwGA1UECgwFT3BTZWMxEDAOBgNVBAMMB1Jvb3QgQ0Ew                               
HhcNMTgwNzAyMTU0NTIxWhcNMjgwNzAxMTU0NTIxWjAyMQswCQYDVQQGEwJNRTEO                               
MAwGA1UECgwFT3BTZWMxEzARBgNVBAMMCldXVyBTdWIgQ0EwggIiMA0GCSqGSIb3                               
DQEBAQUAA4ICDwAwggIKAoICAQDz+qZgBNAtOhKa1fGgd9aKT+zHnpdIdoALgumB                               
sTkUhuNHjlxu5M0nHtCYOWkYeCVdFNM9BhVOf9G9bIbBxshLX78hDrk+oT+67dqQ                               
F7djXCC90aWH4TJteZq+iU4/SjMwZ/XStQpdwpbmOmegonpVuS++A3bkIgly55Cd                               
B9G6ei2HOj3r43Q/KJqK1y7bRqqMvlUe0EEaXJ4PHsaNoE4n0i9Q1GOOqi+yQGev                               
rjilkRvoFfFuAddxR4RkqeCHBfUnpVGKnRm8ZNN8Mjns0DGHGt8QWbRSYJ9kOis9                               
BBFMMONNeLtJhnp8DzS4HyE4qMuJHfqeiE1HwVfPlJ5sdFFoD3L9PhxXwBhhKz4w                               
ifRAYCjeKrpVaPDRbSekZPq79a36g5SNPX3fYBEBSbLCII9Afhez9hHdtazk/XZb                               
ZCn/Gu5RpI1pl6DzM+N1+wUsCt8o9dW/c66I4/PbosFjzIG3JMhrD2ynB0KKZv4Y                               
xgO9PHR0rsc8CLnf/4ZiY90M4VJbRDCVk+VUteBLXzBHFIhdKA4xKBoMIfzNFt01                               
UgAZTw55ksiddpMDmbYIqJQVD2x9QkLVgFtdr1XkmUtmi+4P8jMTcQ4yWi4mMenH                               
0akqr6r2brTBHCgw2TkJAUVYAswEjXSUk7I6mhtGrnmKDwXDka8AHKaEOZO5GY16                               
Z82kRwIDAQABo4IBoTCCAZ0wgYIGCCsGAQUFBwEBBHYwdDA5BggrBgEFBQcwAoYt                               
aHR0cDovL3Jvb3QtY2Euc2FsdHljeWJlcm5hdXQubmV0L3Jvb3QtY2EuY3J0MDcG                               
CCsGAQUFBzABhitodHRwOi8vb2NzcC5yb290LWNhLnNhbHR5Y3liZXJuYXV0Lm5l                               
dDo5MDgwMB8GA1UdIwQYMBaAFLYoXLkp4BgFp71fhWlSsvEV2l9HMBIGA1UdEwEB                               
/wQIMAYBAf8CAQAwPgYDVR0fBDcwNTAzoDGgL4YtaHR0cDovL3Jvb3QtY2Euc2Fs                               
dHljeWJlcm5hdXQubmV0L3Jvb3QtY2EuY3JsMB0GA1UdJQQWMBQGCCsGAQUFBwMC                               
BggrBgEFBQcDATAOBgNVHQ8BAf8EBAMCAQYwUwYDVR0eBEwwSqAWMBSCEnNhbHR5                               
Y3liZXJuYXV0Lm5ldKEwMAqHCAAAAAAAAAAAMCKHIAAAAAAAAAAAAAAAAAAAAAAA                               
AAAAAAAAAAAAAAAAAAAAMB0GA1UdDgQWBBQEHd3v3wvY+F2Am5NjYAfz60rXFzAN                               
BgkqhkiG9w0BAQ0FAAOCAgEASwzGYDi4ukhEg7hdmGlaQZI/lMwdvnTgFMi1cYSl                               
gR8Jim5Q5C7wIRV7F2b9eULl+b642bLGw6yX6ck48BQ0pIpPUqgIBJp91XQrhYko                               
OBemU6sVNH9ufafJknrtEbSHsL0O98LpA6/OiNR6S4cGMiTpZ/uipOQ6RbwM/a87                               
lVAFkpCk5+vIXw5wD1fa9mE8y/jeV16PNFeUgce4NU3dxpCmbsAiTTMv/b4n0c2D                               
wffY3q5Urvt+poPBAEgl5eOue6+QpwZY6m2D7PjA/MGbWPgusQAQ1z/cSqPC9ykZ                               
xqNT4etsGwvaZITA1E/5G8Qmo/15LTteEuKB1J9JCmbQxLDhW798PNWzL9QjNPRB                               
dkBPhJAJ9gEmhPakWML/Mt84pQxEt6yupLDm9xHX1a920DEVJsd4/p87aW4PDPXN                               
VxmixOEkaZ7VDILRsjSO05l+R89GuGFmgzl3LDxRHAlXXpu5DtARPkO6iG/Z2DfR                               
4lhhSsTX8Jz2OtmefFjf1UrXJW3iBbLKFLqmz7CkG9zdH2iFzjSoMXggmBqEtQFe                               
ON0/41gfcjS0jEIQgeQ5W6ylfogwVV3WDcuKwz4tfK+MmVFALXk8O27iWWlAZGvi                               
fG6VDaGqeUWZEX3XThzYzBG4L1+LN0/9FK21/6cTV1sqW8p+nAUTxWE5HxyAy/Qc                               
4f8=                                           
-----END CERTIFICATE-----                      
-----BEGIN CERTIFICATE-----                    
MIIGnTCCBIWgAwIBAgIQJTEYl0urCbJ7QNmM1EcMjzANBgkqhkiG9w0BAQ0FADAy                               
MQswCQYDVQQGEwJNRTEOMAwGA1UECgwFT3BTZWMxEzARBgNVBAMMCldXVyBTdWIg                               
Q0EwHhcNMTgwNzAyMTU0ODI5WhcNMTkwNzAyMTU0ODI5WjBdMQswCQYDVQQGEwJN                               
RTEOMAwGA1UECgwFT3BTZWMxGTAXBgNVBAsMEFdlYnNpdGUgRGl2aXNpb24xIzAh                               
BgNVBAMMGmZhcmFkYXkuc2FsdHljeWJlcm5hdXQubmV0MIICIjANBgkqhkiG9w0B                               
AQEFAAOCAg8AMIICCgKCAgEAy+9/dVag/1l1RMtdDNqjLbNujc1vWz4GTsvzEtFK                               
M68LJmscOpj/sgBukSIbTBVcY7h5QVEFkQgiCPeXuIUzSSBL1vkZJO6Cu/li20TD                               
y7iUFnEGqmOSoNY/aUQlQ6DhXGVquIReaZOYqFMapFSIXF2tEXPpHjrCTU74xFaf                               
QhWa2i9zFXBEjEv+grHf0ylGTSRxOJXoT7/1LsSyXgY4e0B116SpQtJJFV0Y4n3N                               
pFqUR2t50oLeGEMBp/osKMizb6WPg2qt8c0wPB0J/ODHC/BaYAf3X08wQuZ52UsK                               
Whah2LieTTGOC+jz1I0kVxLGDUBjDztmCM3FWxwoj9vtJdPSYPGMFyoF+I2yqKBZ                               
ZEtRyKVEb1Gc4rkp6ZYwQvgyaVyrL3lueGLIDOA2Da3uHUFQYkn2722CJlvqShn4                               
2X4/gjg1QoepMTX2ZzdnrHT3B/2JfNE9lcOTPEem0GKw1Hl6/wkUyOPUJqKd0Q0W                               
qLAUXbFV+vtVAR4a7Ckra6JP1PKCK2FZIs0VPNoHzUC31xvEwZPYsdylv9afMrGS                               
jzRn8HXUmtEe75Uz/nX6f4KV343QtUE8uB1rOPb7i2SfC8CC9cBeg1a+oVCEbUZy                               
eDHu48lgjj0nnRMmon7DTePlrAOrM9ZPBXagn8wvatzAETi4A42DJpD1N4LUh6lR                               
zRkCAwEAAaOCAYIwggF+MIGLBggrBgEFBQcBAQR/MH0wPwYIKwYBBQUHMAKGM2h0                               
dHA6Ly93d3ctc3ViLWNhLnNhbHR5Y3liZXJuYXV0Lm5ldC93d3ctc3ViLWNhLmNy                               
dDA6BggrBgEFBQcwAYYuaHR0cDovL29jc3Aud3d3LXN1Yi1jYS5zYWx0eWN5YmVy                               
bmF1dC5uZXQ6OTA4MTAfBgNVHSMEGDAWgBQEHd3v3wvY+F2Am5NjYAfz60rXFzAM                               
BgNVHRMBAf8EAjAAMEQGA1UdHwQ9MDswOaA3oDWGM2h0dHA6Ly93d3ctc3ViLWNh                               
LnNhbHR5Y3liZXJuYXV0Lm5ldC93d3ctc3ViLWNhLmNybDAdBgNVHSUEFjAUBggr                               
BgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdDgQWBBTVovZq                               
dRk2+ZvehZkC4SUft2NSGDArBgNVHREEJDAighpmYXJhZGF5LnNhbHR5Y3liZXJu                               
YXV0Lm5ldIcECggBATANBgkqhkiG9w0BAQ0FAAOCAgEAi9S2c0jKnI9MJuB0EC3h                               
TvPpT2xc03rTrosRKe+rLG3BAuUbIqJtbSBpJZs4EUFph1JN9YI9Jsj8lFDlaU82                               
33fDoz8UEPXBrzVdEvBVbO9ynzDDkXD9jXjPcs95Ku2eq1LhjX7x4hbF8PIBNcbs                               
4PHmAhjsx1ODgCi3VyB8RoK7IqMpoHaYgQp0+tzAt43X+uqlFERgIv5rDX032TWK                               
8f2QpebLNG6v5NyA+oB+Dbv10JQ5zqCU780sNVp2DorjQHa6HvVGQay4eb+RzWRo                               
UaCbeOHczkuH4svrXMts8GXVeucMYXhCt+KGM5Fbb1rtEAS/DIoLSepihh19l7rl                               
z3ITbnQyajI6Nk0JFf2RBKA7bR8YX7Gx0N2bCHk4SVdmkqT4fi9py0lQe7C50LNJ                               
AKp5r7c9e2qFiBF+JOQZUvAHjUpmm4VtxqeiEkS1sY3zQbEyYyviPHl2kA9pdh/5                               
CbyDSSpFnZIueX23Nl24QqOtLFI9D3VXZlnsKDgivswrGxh8cyN8k7fmU0XjWTYd                               
38HJmSw/rc6DkszYepYJZBUog1DotABYmqaeCqqIU92JrSJdelYxCbr6+nKBElzx                               
dYa4vUgh6CcNME0SGIsiBu8AX9q38b+QJZNn148xMPr+9K3vyuVuMXOgg/LJijd1                               
HxR+hl3vUFbAKVo2ffloY8c=                       
-----END CERTIFICATE-----

Convalida Openssl:

$ openssl verify -CAfile root-ca.crt.pem fullchain.crt.pem
fullchain.crt.pem: OK

Come ho rilasciato un certificato al di fuori dello "spazio dei nomi" del certificato radice e del certificato intermedio? Come posso correggere questo?

openssl tls certificate-authority

posta Cybernaut 03.07.2018 - 23:17

fonte

2 risposte

Leggi altre domande sui tag openssl tls certificate-authority

In che modo EternalBlue ha bypassato i firewall? Cookie che ruba con il reindirizzamento

score 2 · Answer 1

Il problema è causato da un'estensione certificato Name Constraints presentata in un certificato CA intermedio:

        X509v3 Name Constraints: 
            Permitted:
              DNS:saltycybernaut.net
            Excluded:
              IP:0.0.0.0/0.0.0.0
              IP:0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0

Questa estensione definisce lo spazio dei nomi per i certificati emessi. In un determinato caso, è consentito solo saltcybernault.net nei certificati concessi e non sono consentiti indirizzi IP.

È necessario, rimuovere completamente questa estensione o aggiungere il nome desiderato nella sottostruttura consentita. Ulteriori informazioni su questa estensione in RFC 5280 §4.2.1.10

score 1 · Answer 2

openssl verify non verifica una catena in un file; verifica solo il primo cert nel file (o ogni file) che gli dai. Hai il CERT di root prima nel file fullchain.pem , quindi stai solo verificando il certificato di root, e va bene. Questo è un dupe e crossdupe, anche se non troppo facile da trovare:
Se un server o un client è in grado di verificare un certificato client / server - catena di certificati intermedia con una ca radice conosciuta?
< a href="https://stackoverflow.com/questions/44375300/openssl-verify-with-chained-ca-and-chained-cert"> link
link

Se utilizzo il comando corretto in 1.1.0 (ma non prima) per verificare la catena, riporta correttamente l'errore:

$ openssl verify -purpose sslserver -CAfile se188914.0 -untrusted se188914.1 se188914.2
C = ME, O = OpSec, OU = Website Division, CN = faraday.saltycybernaut.net
error 48 at 0 depth lookup: excluded subtree violation
error se188914.2: verification failed

Il tuo vero problema è correttamente risposto da Crypt32.