Why the root ca is not trusted and the responder OCSP can't locate issuer?

Question

I start in openssl technology and more specificly with Responder OCSP. I have many error, but i don't know why.

Response Verify Failure 40E725B2167F0000:error:13800065:OCSP routines:ocsp_verify_signer:certificate verify error:../crypto/ocsp/ocsp_vfy.c:64:Verify error: unable to get local issuer certificate 40E725B2167F0000:error:13800067:OCSP routines:ocsp_check_delegated:missing ocspsigning usage:../crypto/ocsp/ocsp_vfy.c:376: 40E725B2167F0000:error:13800070:OCSP routines:OCSP_basic_verify:root ca not trusted:../crypto/ocsp/ocsp_vfy.c:149: ./demoCA/newcerts/test.crt: unknown This Update: Apr 18 07:21:46 2023 GMT

My script is :

#!/bin/bash


# MISE EN PLACE 
cd ~/Documents/
mkdir -p Test_PKI

#importation des fichiers openssl.conf
cp ~/openssl_root.cnf ./Test_PKI/openssl_root.cnf
cp ~/openssl_inter.cnf ./Test_PKI/openssl_inter.cnf


#Création des dossiers
cd Test_PKI/


mkdir -p demoCA/newcerts
touch ./demoCA/index.txt  

echo ‘01’ > ./demoCA/serial

mkdir RootCA
mkdir Relais1
mkdir Relais2
mkdir OCSP

#Root

openssl genrsa -out ./RootCA/rootCA.key 1024

openssl req -new -x509 -days 3650 -key ./RootCA/rootCA.key -out ./RootCA/rootCA.crt -config openssl_root.cnf -subj "/C=FR/ST=Cenon/O=Ada/CN=RootCA" -addext "keyUsage = cRLSign, keyCertSign"

#Relais1


openssl req -new -newkey rsa:4096 -nodes -keyout ./Relais1/RelaisCA1.key -out ./Relais1/RelaisCA1.csr -subj "/C=FR/ST=Cenon/L=Cenon/O=Ada/CN=Relais1"

openssl x509 -req -in ./Relais1/RelaisCA1.csr -out ./Relais1/RelaisCA1.crt -CA ./RootCA/rootCA.crt -CAkey ./RootCA/rootCA.key -CAcreateserial -days 730 -extfile <(echo "subjectKeyIdentifier=hash";echo "authorityKeyIdentifier=keyid";echo "basicConstraints=critical,CA:TRUE";echo "keyUsage=digitalSignature,keyCertSign,cRLSign")

#Relais 2

openssl req -new -newkey rsa:4096 -nodes -keyout ./Relais2/RelaisCA2.key -out ./Relais2/RelaisCA2.csr -subj "/C=FR/ST=Cenon/L=Cenon/O=Ada/CN=Relais2"

openssl x509 -req -in ./Relais2/RelaisCA2.csr -out ./Relais2/RelaisCA2.crt -CA ./RootCA/rootCA.crt -CAkey ./RootCA/rootCA.key -CAcreateserial -days 730 -extfile <(echo "subjectKeyIdentifier=hash";echo "authorityKeyIdentifier=keyid";echo "basicConstraints=critical,CA:TRUE";echo "keyUsage=digitalSignature,keyCertSign,cRLSign")


#OCSP

openssl req -new -nodes -out ./OCSP/ocspSigning.csr -keyout ./OCSP/ocspSigning.key  -subj "/C=FR/ST=Cenon/L=Cenon/O=Ada/CN=OCSP"

openssl x509 -req -in ./OCSP/ocspSigning.csr -out ./OCSP/ocspSigning.crt -CA ./Relais1/RelaisCA1.crt -CAkey ./Relais1/RelaisCA1.key -CAcreateserial 

#lancement du serveur

openssl ocsp -index demoCA/index.txt -port 8080 -rsigner ./OCSP/ocspSigning.crt -rkey ./OCSP/ocspSigning.key -CA ./Relais1/RelaisCA1.crt -text -out log.txt &

# And my request on an another terminal: 

openssl ocsp -CAfile ./RootCA/rootCA.crt -issuer ./Relais1/RelaisCA1.crt -cert ./demoCA/newcerts/test.crt -url http://127.0.0.1:8080 -resp_text

I understand the error but i didn't find how to fix it.

I try many things like : -change .crt to .pem -verify the chain of certification -take a trusted CA (so i haven't the error : root ca not trusted)

But i don't understand why I can't locate the issuer and why he return certificate unknown. Can you help me to understand and fix the error please.