Difference between openssl's verify and s_client

Question

openssl verify gives me a 20 error code whereas s_client gives me a 1 return code and correctly gets the root certificate.

Can anyone point me out to how to verify a downloaded certificate ?

ychaouche@ychaouche-PC 10:30:22 ~/TMP/CERTS $ openssl s_client -CApath /etc/ssl/certs/ -connect domain.tld:993 
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = domain.tld
verify return:1
---
Certificate chain
 0 s:/CN=domain.tld
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

and verify

ychaouche@ychaouche-PC 10:30:30 ~/TMP/CERTS $ openssl verify -CApath /etc/ssl/certs/ domaintld.crt 
domaintld.crt: CN = domain.tld
error 20 at 0 depth lookup:unable to get local issuer certificate
ychaouche@ychaouche-PC 10:31:21 ~/TMP/CERTS $ 

EDIT : found answere on SO : https://stackoverflow.com/questions/28072021/discrepancy-between-openssl-verify-and-s-client-command

I don't know what's best : to simply delete this question or to close and add a duplicate link to SO ? (for other people searching on SF).

Answer 1

This has already been answered on SO. From https://stackoverflow.com/questions/28072021/discrepancy-between-openssl-verify-and-s-client-command

openssl verify doesn't expect the certificate to contain its chain. Chain needs to be passed with -untrusted argument. You can pass the same file there, trust is still determined by finding a trusted root in -CAfile/-CApath.

openssl verify -CApath /etc/ssl/certs -untrusted google_chain.pem google_chain.pem