Why openssl verify does not work for the certificate chain of a correctly configured site?
I download its certificates. To do that, I used the openssl debug output of the command
openssl s_client -connect security.stackexchange.com:443 -servername security.stackexchange.com -showcerts -debug </dev/null 2>&1|tee out
The output says nothing unusual, it is an ordinary ssl handshake, including the certificate chain. I do not post only because it is long (but is available if someone needs).
Then, I extract the certificates from the debug output with a well-done editor. There are 4 of them.
If I try to verify them with the openssl verify command, I get this:
$ openssl verify -CAfile s4.crt s3.crt
C = US, O = Internet Security Research Group, CN = ISRG Root X1
error 2 at 1 depth lookup: unable to get issuer certificate
error s3.crt: verification failed
Why?
This site, the security.stackexchange.com, has a perfect okay cert chain, verification should work without any problem.
Note, I am trying to verify the penultimate cert of the chain (C = US, O = Internet Security Research Group, CN = ISRG Root X2) with the last (C = US, O = Internet Security Research Group, CN = ISRG Root X1) certificate. Intermediate certs should not play any role, making this question not a dupe of this.
