Getting Unable to get local issuer certificate

[uniquenepalhumepipe]

I have issued a certificate from Acme4j but I if i try to verify it with openssl verify. It gave me unable to get local issuer certificate error. I am using the implementation of Acme4j from blynk-server https://github.com/blynkkk/blynk-server/blob/master/server/acme/src/main/java/cc/blynk/server/acme/AcmeClient.java https://github.com/blynkkk/blynk-server/blob/master/server/launcher/src/main/java/cc/blynk/server/workers/CertificateRenewalWorker.java

[shred]

It's hard to do remote debugging with just this few information. However since you mentioned openssl verify, I guess that your openssl is validating against the DST Root CA X3 certificate, which has actually expired in September 2021, so formally the certificate chain is invalid.

You can download the ISRG Root X1 certificate, and then use this one as root certificate for validation:

openssl verify -CAfile <(cat lets-encrypt-r3.pem isrgrootx1.pem) cert.pem
cert.pem: OK

cert.pem is the certificate chain stored by blynk. lets-encrypt-r3.pem is the intermediate certificate, which is the second certificate in the cert.pem chain, but can also be downloaded from the page linked above.

[shred]

Maybe this link is helpful as well: https://community.letsencrypt.org/t/rhel-centos-6-openssl-client-compatibility-after-dst-root-ca-x3-expiration/161032

[uniquenepalhumepipe]

Thanks for the help :). OpenSSL was the issue. Thank You