The katello-certs-check utility requires that the provided certificate chain contains not just all intermediate certs, but also the root certificate.

It should accept a certificate bundle that contains only intermediate certifictes, as long as the root is globally installed on the server. This is in keeping with RFCs, and also because some CAs (Sectigo in my case) only provide intermediate certificates.

To achieve that, the openssl verify line should be changed to replace the -CAfile argument with the -untrusted argument.

CHECK=$(openssl verify -untrusted $CA_BUNDLE_FILE -purpose sslserver -verbose $CERT_FILE 2>&1)

How to reproduce:

Obtain a certificate, key, and corresponding intermediate certificates. Ensure that the intermediate certificates do not include a self-signed root certificate.

Then run:

katello-certs-check -c <certfile>.pem -k <keyfile>.pem -b <ca intermediate bundle>.pem

Expected result:
...
Checking CA bundle against the certificate file:
[OK]
...

Actual result:
...
Checking CA bundle against the certificate file:
[FAIL]

The <intermediate>.pem does not verify the <certificate>.pem
C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
error 2 at 2 depth lookup: unable to get issuer certificate
error <certificte>.pem: verification failed
...