SSL works but only from a browser - not curl or other technology

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: my-elixir-dev.xyz

I ran this command:
certbot certonly --manual --preferred-challenges dns

It produced this output:
I used a wildcard.
It produces certificate, key, and fullchain which are usable for all five domains when viewed from a browser, but not from curl or other non-browser

My web server is (include version):
k3s with traefik ingress

The operating system my web server runs on is (include version):
ubuntu 22.04

My hosting provider, if applicable, is:
DNS provided by directnic

I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 3.0.0

There are five subdomains: portal, api, app, novnc, and meapi
Each of them is properly secured for a web browser with the certificates applied. However, they fail when using curl:
curl https://portal.my-elixir-dev.xyz/

curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: curl - SSL CA Certificates

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above

My concern is not with curl. My concern is that a thirdparty uses an unknown technology (may be curl, may be go, may be nodejs - just don't know) and they receive a similar error.

Their automated system reports:
Post "https://meapi.my-elixir-dev.xyz/api/v1/delivery": tls: failed to verify certificate: x509: certificate signed by unknown authority

Thanks in advance for any pointers

That is because your server is only sending the "Leaf" and not the related Intermediate. Browsers often, but not always, can find a trusted root anyway but you can't rely on that.

Have your nginx use the fullchain.pem file instead of cert.pem.

See a test site like: SSL Checker

5 Likes

Thanks, @MikeMcQ. That helps

2 Likes

FYI, another variant of this issue (not in this situation) is when the client computer's Operating System has an older Trust Store that does not have the Root Certificate in it. Firefox uses it's own trust store, and Chrome will soon follow. Safari and Edge both use the OS. Because of this, a site might work in Firefox - but not the others.

4 Likes