The TLS (SSL) certificate on one of my site expired yesterday. I obtained a new one – and installed it on the site (running on Debian 9 under nginx). Now when I access the site from a windows or mac, the certificate is processed correctly and everything is hunky-dory.
At the same time, I have a service that runs on this same server and connects to this same site. Since the certificate update, this service started failing. Trying to debug this, I came to realise that the system itself where the certificate is installed does not trust the issuer. Using wget, I get this error:
Certificate hasn't got a known issuer
Using curl I get this error:
SSL certificate problem: unable to get local issuer certificate
This seems to point to a missing ca certificate on the system. I tried running update-ca-certificates and dpkg-reconfigure ca-certificates. Both processes complete successfully, however the problem persists.
Here's the certificate details from Chrome on mac:
I attempted to manually add root issuer certificate to the ca-certs store and update-ca-certificate, however that resulted in a warning of a duplicate certificate.
How can I get this resolved? Disabling certificate check is NOT an option; accessing the site over HTTP is not an option either.
Best Answer
This looks more like a problem where you have improperly installed the new certificate, so that only the server certificate is provided in the TLS handshake but not the intermediate certificate(s). Browser will usually successfully try to work around such misconfiguration and fill in the missing chain certificates themselves while other client don't. Please check your site against SSLLabs and look out for "chain issues" - then make sure to reconfigure your site properly so that you get no longer these chain issues.