We've obtained a wildcard certificate from Let's Encrypt for civility.social
and *.civility.social
, using certbot. This works fine on all browsers and with curl and wget when verifying https://civility.social, or https://graphql.civility.social
. The A records for those (sub)domains point to the same server, from which the certbot challenge was completed.
Later we've added a subdomain hosted on a different server, meet.
. To use the same certificate on a different server, we copied the files making up the wildcard certificate from the original server to meet.
. Both servers use NGINX. The problem is that wget
and curl
fail to fetch anything from meet.civility.social
, even though browsers don't complain. wget
fails even with --no-check-certificate
.
$ $ wget -v --debug --no-check-certificate https://meet.civility.social
Setting --check-certificate (checkcertificate) to 0
Setting --check-certificate (checkcertificate) to 0
DEBUG output created by Wget 1.20.3 on linux-gnu.
Reading HSTS entries from ~/.wget-hsts
URI encoding = ‘UTF-8’
Converted file name 'index.html' (UTF-8) -> 'index.html' (UTF-8)
--2020-06-26 21:39:15-- https://meet.civility.social/
Resolving meet.civility.social (meet.civility.social)... 157.245.170.94
Caching meet.civility.social => 157.245.170.94
Connecting to meet.civility.social (meet.civility.social)|157.245.170.94|:443... connected.
Created socket 3.
Releasing 0x000055ae59be63e0 (new refcount 1).
Initiating SSL handshake.
SSL handshake failed.
Closed fd 3
Unable to establish SSL connection.
$ curl https://meet.civility.social/
curl: (60) SSL certificate problem: unable to get local issuer certificate
What might be going on here?
Best Answer
You need to update
ca-certificates
package.On my machine I have no SSL errors:
Edit 1:
For meet.civility.social the webserver is not sending the intermediate certificate. You can see this with a network capture in WireShark. You are presenting only the certificate which covers
*.civility.social
andcivility.social
, but the intermediate certificateLet's Encrypt Authority X3
is omitted.certbot
should take care of installing the proper intermediate certificate, for more details see: https://letsencrypt.org/certificates/You need to concatenate the server and intermediate certificate: