I've a perl script that runs openssl to locally check certificates' validity. I don't want to just set an env var and walk away. This feels more like something is funny with my openssl installation or configuration

What is the system, versions…

I'm locally validating certificates from Letsencrypt. This is a 20.04/Focal system. Openssl is OpenSSL 1.1.1f 31 Mar 2020 and so I would expect it to happy validate certs, even with LE "cross-signing" them using the new ISRG root cert.

However, once the old X3 cert expired, these errors began…

openssl verify -verbose -purpose sslserver -CAfile /path/redacted/chain.pem /path/redacted/cert.pem
C = US, O = Internet Security Research Group, CN = ISRG Root X1. 
error 2 at 2 depth lookup: unable to get issuer certificate. 
error /path/redacted/cert.pem: verification failed

This felt strange. Some digging led me to wonder about the -trusted_first option to openssl verify. This is exactly what openssl would complain if trusted-first option is not enabled. Trying to explicitly enable that option however, has no affect:

openssl verify -trusted_first -verbose -purpose sslserver -CAfile /path/redacted/chain.pem /path/redacted/cert.pem
C = US, O = Internet Security Research Group, CN = ISRG Root X1
error 2 at 2 depth lookup: unable to get issuer certificate
error /path/redacted/cert.pem: verification failed

Ok, fine. That option should be on by default since openssl 1.1.1 (that's this system, see above). So my explicitly including it should make no difference.

But eventually I tried specifying it as an env var. Wait, wat? Why does specifying this environment variable fix openssl's behavior to trust the first root cert it finds in the chain:

set X509_V_FLAG_TRUSTED_FIRST openssl verify -trusted_first -verbose -purpose sslserver -CAfile /path/redacted/chain.pem /path/redacted/cert.pem

…runs with exit value of zero.

zooming out

I don't understand why openssl doesn't Just Work(tm). This is a fully updated 20.04. The newer ISRG root cert is installed in /etc/ssl/certs/ISRG_Root_X1.pem and update-ca-certificates is happy:

Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

I see two issues here.

First, as RyanTM mentions, you're not setting the environment variable correctly. The exit 0 is coming from set, not the openssl command.

Second, X509_V_FLAG_TRUSTED_FIRST is not an environmental variable. Using it as an environmental variable won't do anything in OpenSSL.

Check out the man page for more details. Note this is from "man3" which is for C library functions.