cURL error 60 when trying to connect to self

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
corp.bygeorgenet.me

I ran this command:
curl -v https://corp.bygeorgenet.me

It produced this output:

If I run the curl command on the server where nginx that hosts https://corp.bygeorgenet.me/ is running I get this output

*   Trying 116.203.20.196:443...
* TCP_NODELAY set
* Connected to corp.bygeorgenet.me (116.203.20.196) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

but when I try it from any other machine, everything is absolutely fine.

My web server is (include version):
nginx version: nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:
Hetzner

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
I use acme.sh

2 Likes

Some other useful info

root@venus-de:~# ifconfig | grep inet
        inet 116.203.20.196  netmask 255.255.255.255  broadcast 116.203.20.196
        inet6 fe80::9400:ff:fe2b:eed6  prefixlen 64  scopeid 0x20<link>
        inet6 2a01:4f8:c2c:b72::1  prefixlen 64  scopeid 0x0<global>
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
root@venus-de:~# traceroute corp.bygeorgenet.me
traceroute to venus.de.srv.bygeorgenet.me (116.203.20.196), 64 hops max
  1   116.203.20.196  0.003ms  0.001ms  0.001ms 
2 Likes

Your server isn't sending the intermediate certificate.

4 Likes

Okay, I'll try using fullchain.cer!

2 Likes

Hi @gbougakov

there runs a check of your domain - https://check-your-website.server-daten.de/?q=corp.bygeorgenet.me

Openssl says: The intermediate certificate is missing.

PS: Yep, now the check is ready:

Chain - incomplete	
	1	CN=corp.bygeorgenet.me

2 Likes

Thanks guys, you saved me so many hours of investigating! Really appreciate it, everything works now :heart:

6 Likes