error if ziti controller presents a server cert not verifiable by its well-known trust bundle

verify-ziti-server-cert.bash

#!/usr/bin/env bash

set -o errexit
set -o nounset
set -o pipefail
# set -o xtrace

: "${ZITI_ALPN:=h2,http/1.1}"
: "${TMPDIR:=$(mktemp -d)}"
BASENAME="$(basename "${0}")"

if (( $# ))
then
    ZITI_EDGE=$1
elif [[ -n "${ZITI_EDGE:-}" ]]
then
    :
else
    echo -e " Usage:\n"\
            "  ${BASENAME} [ZITI_EDGE]\n"\
            "Example:\n"\
            "  ${BASENAME} 127.0.0.1:1280\n"\
            "Options:\n"\
            "  ZITI_ALPN\tALPN protocols to use when connecting to the controller\n"\
            "\t\t[h2,http/1.1|ziti-ctrl] (default: ${ZITI_ALPN})"
    exit 1
fi

cd "${TMPDIR}"

echo -e "\nINFO: getting server cert chain from ${ZITI_EDGE} with ALPN ${ZITI_ALPN}\n"

openssl s_client \
-alpn "${ZITI_ALPN}" \
-connect "${ZITI_EDGE}" \
-showcerts <>/dev/null \
|& openssl storeutl -certs -noout -text /dev/stdin \
| grep -E '(Subject|Issuer):'

curl -sSk "https://${ZITI_EDGE}/.well-known/est/cacerts" \
| base64 -d \
| openssl pkcs7 -inform DER -outform PEM -print_certs \
> ./well-known.pem

if openssl s_client \
    -alpn "${ZITI_ALPN}" \
    -connect "${ZITI_EDGE}" \
    -showcerts \
    -verify_return_error \
    -CAfile ./well-known.pem </dev/null &>/dev/null
then
        echo -e '\nINFO: verified by root CA'
        exit 0
elif openssl s_client \
        -alpn "${ZITI_ALPN}" \
        -connect "${ZITI_EDGE}" \
        -showcerts \
        -verify_return_error \
        -CAfile ./well-known.pem \
        -partial_chain </dev/null &>/dev/null
then
        echo -e '\nERROR: verified by intermediate CA, missing root' >&2
        exit 1
else
        echo -e '\aERROR: not verified' >&2
        exit 1
fi