openssl won’t verify certs beyond intermediate CA, error 20 even when using CApath or CAfile

Ultimately, I am trying to configure an ocsp server on ubuntu 20.4, but I cannot even verify any certs issued by my intermediate CA yet.

I have configured a ca-root called ca-root.mydomain.org. I also have configured a intermediate ca called ca-sub.mydomain.org. Finally, there is my future ocsp server, ocsp-server.mydomain.org.

First, I make a self-signed cert ca_root_cert_file. Then I have the ca-root sign a cert for ca-sub.mydomain.org, ca_sub_cert_file. I then create a cert chain pem file “sub-chain.pem”. It contains the sub-ca cert, then the ca-root cert, in that order.

Next, I then copy both ca_root_cert_file and ca_sub_cert_file to a “$CA_ROOTS_HASHES_DIR” directory, and copy all the root certs in /etc/ssl/certs there as well. I run the openssl utility c_rehash -v "$CA_ROOTS_HASHES_DIR". I expect I can now use this as the argument for the -CApaths parameter of openssl verify.

Next, I have the ca-sub sign a cert for ocsp-server.mydomain.org. I then create a cert chain pem file “ocsp_signer_chain.pem”. It contains the ocsp-server cert, the sub-ca cert, then the ca-root cert, in that order. I don’t expect to need this ocsp_signer_chain.pem, but I have it.

I can use openssl verify to verify ca_sub_cert_file:

`openssl verify -verbose -show_chain -CApath "$CA_ROOTS_HASHES_DIR" "$ca_sub_cert_file"`
OK
Chain:
depth=0: C = US, ST = California, L = Pacifica, O = Mydomain, CN = ca-sub.mydomain.org (untrusted)
depth=1: C = US, ST = California, L = Pacifica, O = Mydomain, CN = ca-root.mydomain.org, emailAddress = deft@mydomain.org

But I can’t verify ocsp-server_cert_file. I always get error 20 at 0 depth lookup: unable to get local issuer certificate.
I’ve tried CAfile with sub-chain.pem vs. ocsp_signer_chain.pem vs. -CApath "$CA_ROOTS_HASHES_DIR".
I’ve tried with and without -untrusted "$ca_sub_cert_file"

openssl verify -verbose -show_chain -CApath "$CA_ROOTS_HASHES_DIR" -untrusted  "$ca_sub_cert_file" "$ocsp-server_cert_file"`
C = US, ST = California, L = Pacifica, O = Mydomain, CN = ocsp-signer.mydomain.org
error 20 at 0 depth lookup: unable to get local issuer certificate
error ocsp.mydomain.org_ocspserver_ocsp-signing.crt: verification failed

What am I doing wrong? I’ve been searching for days, but the answers I’ve found all end with using CApath or CAfile

I’m surprised that even when verifying ca_sub_cert_file, openssl reports “ca-sub.mydomain.org (untrusted)” I expected that having the cert in CA_ROOTS_HASHES_DIR would make it trusted. :/