Clone certificate with existing CA does not work with Let's Encrypt certificates

[SvenTo]

Hi, I've tried to clone the CA chain of Let's Encrypt with deen by cloning the ISRG Root X1 CA as self-signed and then sign the intermediate CA R3 with the cloned certificate as CA via the Sign with existing CA function. I did the same with the intermediate CA R3 and the leaf certificate. The resulting certificate chain is not accepted by openssl:

$ openssl verify -show_chain -CAfile genuine-ca.pem -untrusted genuine-intermediate-ca.pem genuine-cert.pem
genuine-cert.pem: OK
Chain:
depth=0: CN = [...] (untrusted)
depth=1: C = US, O = Let's Encrypt, CN = R3 (untrusted)
depth=2: C = US, O = Internet Security Research Group, CN = ISRG Root X1
$ openssl verify -show_chain -CAfile cloned-ca-bundle.pem cloned-intermediate-ca-bundle.pem 
cloned-intermediate-ca-bundle.pem: OK
Chain:
depth=0: C = US, O = Let's Encrypt, CN = R3 (untrusted)
depth=1: C = US, O = Internet Security Research Group, CN = ISRG Root X1
$ openssl verify -show_chain -CAfile cloned-ca-bundle.pem -untrusted cloned-intermediate-ca-bundle.pem cloned-leaf-cert.pem 
CN = [...]
error 20 at 0 depth lookup: unable to get local issuer certificate
error cloned-leaf-cert.pem: verification failed

openssl accepts the chain if I try the same thing with the SAML Raider Clone Chain function.

I've attached the cloned certificates from the sample as ZIP:

• cloned-chain.zip

[takeshixx]

599187463fef63ccddc7075fd04596b3b7a1cc25 should fix this. Not sure how this was never a problem before... :smile: