SSL working for newest Chrome but not curl or wget

As far as I can tell the /etc/ssl/certs/DST_Root_CA_X3.pem and /etc/ssl/certs/ca-certificates.crt files on my Debian Stretch system match what Chrome is using (serial #44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b) to successfully verify https://docs.raineyelectronics.com.

Is this a case of Chrome being “ahead” of the updates on my Debian system in some other respect, or of wget/curl being more stringent about what they’re checking? I did run update-ca-certificates.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: docs.raineyelectronics.com

I ran this command: openssl s_client -connect docs.raineyelectronics.com:443

It produced this output:
CONNECTED(00000003)
depth=0 CN = docs.raineyelectronics.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = docs.raineyelectronics.com
verify error:num=21:unable to verify the first certificate
verify return:1

Certificate chain
0 s:/CN=docs.raineyelectronics.com
i:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3

Server certificate
-----BEGIN CERTIFICATE-----
MIIFbDCCBFSgAwIBAgISAzKbqiSjlMUN0I71246G3iiQMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTAzMjMyMzAwMjRaFw0x
OTA2MjEyMzAwMjRaMCUxIzAhBgNVBAMTGmRvY3MucmFpbmV5ZWxlY3Ryb25pY3Mu
Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4FL4gSIIqmK3GfeI
pWvldng68FP3kexC2Om71EHaJ62YXJrZZZ3QyOc3oPP8oHE44KrhkIfAmXfOfAGL
LUm5m/QgbGSRneEiSN8ObfA3XE3m3pXwAX8ybP4e8J6fZ18WtxMP8P7bjv2ZPpzv
r/8wyNq0qPL6tIXqF8i1s10QWxx/DH/VYlOgJQBeZCcP7OHbZbLalmyw4DRlPrvG
/lizcNCmFtKI65hsrbfHDj1uC+3nbkMGFl7zU8Fet4rXA9V9DoPUkfDxLpDTHsn1
M/h5y7Y2910hftVUZXx7C8XluzLIPiZqXTR9kxQyvwxEGAHs2VQCLzyM175ISwNO
GwQ1OwIDAQABo4ICbzCCAmswDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsG
AQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSSkntt0FMR
VuVMq1rj22p7ocIv0DAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBv
BggrBgEFBQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5s
ZXRzZW5jcnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5s
ZXRzZW5jcnlwdC5vcmcvMCUGA1UdEQQeMByCGmRvY3MucmFpbmV5ZWxlY3Ryb25p
Y3MuY29tMEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYI
KwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBAYKKwYBBAHW
eQIEAgSB9QSB8gDwAHYAdH7agzGtMxCRIZzOJU9CcMK//V5CIAjGNzV55hB7zFYA
AAFprP+SzgAABAMARzBFAiEA20991hpnGZi+BlqTeAe2Qa5a+ebDEC9Nai6tsZop
+dkCIA8QuFN+SEsrP5IjPtfu43A2WLjQFBU7F9RT+0jI87PiAHYAKTxRllTIOWW6
qlD8WAfUt2+/WHopctykwwz05UVH9HgAAAFprP+S1gAABAMARzBFAiA6Y2Qo8mPn
JjDYE0TsOvnU6vEpgFq/bbqpisSXFD7b0AIhAMIC4gsB+X7ApvVswHWPT+6XSQqL
or992aheRGQAc/dWMA0GCSqGSIb3DQEBCwUAA4IBAQAS8wxChZ1YIyVxXd0vHiFG
7MdSqUkY0ZdCQkMzCq/wiUJSEWOcGtzHDCAGGzpdtAWvkjSVLsGthCZ2P4/MtogP
3vuYztAm4LiKTldTBCA/2Q6IvlUJV5iUN6sJxjjQDuLOugRW+SVJfQ4OD18e70V/
SAY5dxNZHBA/4jQYovIlc6d6aHd7E7SoPoEimwc0BAVF6Djb5yXS0t12QXKrVoas
bZAJ0TOM8whFlZtPNrJyMnch4FWKGmL3qV8cy3bFvAiMwk44DuaqaoVc10X2YwGw
/VksGhvEVGhYEMwsnXAVGVsOFK5FiCQgHvLKAOdmWlckqFhO5wNQ1xp0k3v3nXdV
-----END CERTIFICATE-----
subject=/CN=docs.raineyelectronics.com
issuer=/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3

No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits

SSL handshake has read 2078 bytes and written 302 bytes
Verification error: unable to verify the first certificate

New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 07BDA551C3072FC5AF5EFBE32B1F7977FB1366C1DF34FF4931C022354AD9540F
Session-ID-ctx:
Master-Key: 5CBD08BFFAC54849A946819F46B4993AA5327DDD090F8C7DC07E1D5A3DC44462ACC0B4772BBEEDB974C8DCF53CC2B479
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - bc 3a ce db 77 64 16 30-3a 96 8b fe 4b d8 59 ee .:…wd.0:…K.Y.
0010 - f9 b7 58 9e 26 50 d8 ac-d7 fa b7 c9 01 10 32 25 …X.&P…2%
0020 - 52 d9 4a 93 6e 36 f5 63-39 72 43 da d5 5a 63 19 R.J.n6.c9rC…Zc.
0030 - 28 26 78 9a 16 77 fa 2c-47 11 0c 9e 09 74 46 e2 (&x…w.,G…tF.
0040 - 2d f5 00 23 e3 cd 81 4e-79 80 39 5d fb ef d4 a4 -…#…Ny.9]…
0050 - 11 04 35 9a 3e c5 61 05-1b d6 ca 51 66 7b 65 2c …5.>.a…Qf{e,
0060 - bc 81 b1 0b 14 2a 35 4e-0c a7 d3 e1 d9 5e af 98 …*5N…^…
0070 - 98 7f c2 79 a5 75 97 07-c1 48 ab 91 37 13 9d f9 …y.u…H…7…
0080 - e2 9a 15 62 34 03 1b 6c-e1 6c e1 ac e5 9a 7a ff …b4…l.l…z.
0090 - f9 cd 5e 5b be 64 d7 fa-05 06 ff 53 8e 6e d4 f6 …^[.d…S.n…
00a0 - 63 10 5b 3a ac cb e0 83-fd ac 2d 82 ad 14 ad 32 c.[:…-…2
00b0 - fe 52 ac 0d 26 c4 f1 0d-6f a0 4e 8e 96 ce bf bd .R…&…o.N…

Start Time: 1557935127
Timeout   : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no

My web server is (include version): nodejs

The operating system my web server runs on is (include version): node-v6.11.3

My hosting provider, if applicable, is: rackspace.com

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.28.0

Hi @doif

checking your domain your chain is incomplete ( https://check-your-website.server-daten.de/?q=docs.raineyelectronics.com ):

Your certificate is ok:

	24.03.2019
	22.06.2019
expires in 38 days	docs.raineyelectronics.com - 1 entry

But your chain doesn't send the intermediate certificate:

Chain - incomplete	
	1	CN=docs.raineyelectronics.com

That should look like

Chain (complete)	
	1	CN=*.server-daten.de
	2	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US

You should have three files - cert, key, fullchain. Perhaps use fullchain instead of cert. Fullchain should include both certificates - your certificate and the intermediate certificate. Open it with an editor, then you should see that.

Thank you Juergen! I am now researching our nodejs https setup to see where the chain.pem fits in.

Ok it’s good to go! The only change was from cert.pem to fullchain.pem as you suggested.

I guess now the thing that is a bit weird for me is why wasn’t Chrome checking that, and how much does it matter?

Happy to read that it had worked.

Chrome knows the intermediate certificate, same with FireFox. But there are some other devices (older Apple). Then it's sometimes a problem if the intermediate certificate is missing.