openssl verifyでunable to get local issuer certificateになる

openssl verify -show_chain -verbose /etc/letsencrypt/live/test.example.com/fullchain.pem
CN = test.example.com
error 20 at 0 depth lookup: unable to get local issuer certificate
error /etc/letsencrypt/live/test.example.com/fullchain.pem: verification failed

これは、openssl verifyが、中間証明書がチェーンされた証明書を想定していないことによるもの。
中間証明書のLet's Encrypt Authority X3を-untrusted指定で教えてあげると良い。

openssl verify -show_chain -verbose -untrusted /etc/letsencrypt/live/test.example.com/fullchain.pem /etc/letsencrypt/live/test.example.com/fullchain.pem
/etc/letsencrypt/live/test.example.com/fullchain.pem: OK
Chain:
depth=0: CN = test.example.com (untrusted)
depth=1: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 (untrusted)
depth=2: O = Digital Signature Trust Co., CN = DST Root CA X3

-untrustedで指定する証明書は、中間証明書だけにして、 /etc/letsencrypt/live/test.example.com/chain.pem でも良い。

参考

• https://stackoverflow.com/questions/28080408/how-to-verify-certificate-chain-with-openssl
• https://serverfault.com/questions/720250/openssl-verify-outputs-unable-to-get-local-issuer-certificate
• https://stackoverflow.com/questions/25482199/verify-a-certificate-chain-using-openssl-verify