Openssl: error 20 at 0 depth lookup: unable to get local issuer certificate

Question

I have 3 certificates rootca.pem, intermediateca.pem and server.pem Openssl verify intermediateca by root is fine

openssl verify -verbose -CAfile rootca.pem intermediateca.pem 
intermediateca.pem: OK

Server certificate, signed by intermediate - verification failed

openssl verify -verbose -CAfile rootca.pem -untrusted intermediateca.pem server.pem                   
CN = 2ip.ru
error 20 at 0 depth lookup: unable to get local issuer certificate
error server.pem: verification failed

I check hash subject-issuer of rootca intermediateca and intermediateca server. hash correct

I paste my certificate chain here

Answer 1

The Authority Key Identifier (AKI) is messed up in the certificates, which causes it to fail to build the trust path. Both the leaf certificate and the intermediate certificate have the AKI point to the root certificate:

 # leaf
 Issuer: C = RU, O = JSC Sberbank-AST, CN = int_ca
 AKI: keyid:6C:C5:5B:22:4B:2D:CA:EC:C1:15:03:F6:5D:AD:C4:E8:4C:1D:06:89

 # intermediate
 Issuer: DC = ru, DC = sberbank-ast, CN = sberbank-ast-SUN-CA
 AKI: keyid:6C:C5:5B:22:4B:2D:CA:EC:C1:15:03:F6:5D:AD:C4:E8:4C:1D:06:89

As can be seen, both leaf certificate and intermediate certificate wrongly claim to be issued by the same CA based on the Authority Key Identifier, while they correctly claim to be issued by different CA using the Issuer field.

But not only the Issuer field must match the Subject field of the issuer, the Authority Key Identifier must match the Subject Key Identifier of the issuer. While this is true for the relation between intermediate CA and root CA it is not true for the relation between leaf certificate and intermediate CA - and thus verify fails here.