Problem with the EE verification against the chain

[jcross-linkup]

I'm running this with the openssl provided by CentOS 7 and certificates provided by certbot (https://certbot.eff.org/) which is used to get https://letsencrypt.org/ certificates.

My haproxy certificate bundle file works okay with HAproxy. My chain only has the intermediate certificate in it, not the root CA. However, I'm pretty sure that's how it is supposed to be. When hapos-upd tries to verify my certificate chain with the line:

haproxy-ocsp-stapling-updater/hapos-upd

Line 435 in 169516d

$OPENSSL_BIN verify $PARTIAL_CHAIN -CAfile $TMP/chain.pem $TMP/ee.pem &>>$TMP/log

It fails because it can't find a root trust anchor. The Let's Encrypt intermediate certificate is cross-signed by a different CA. That CA is in my globally trusted CA file. So, if I use -untrusted instead of -CAfile for the chain:
$OPENSSL_BIN verify $PARTIAL_CHAIN -untrusted $TMP/chain.pem $TMP/ee.pem &>>$TMP/log

That causes openssl to check the system CA file to find the root trust anchor that signs the
intermediate certificate in chain.pem. Verification then succeeds for my end entity certificate.

certbot has become pretty popular, so I'm guessing many other people trying to use Let's Encrypt certificates will run into the same issue I did. However, I'm not sure what the best way to go about providing a fix for this would be or else I would provide a pull request. I'm thinking maybe adding a switch to tell hapos-upd to use the untrusted switch instead of the CAfile switch for the chain file might be the right approach.

Any thoughts?

[jonhattan]

I've addressed this problem by passing --partial-chain parameter to hapos-upd