"unable to get local issuer certificate" with curl

You're not sending the intermediate certificate. While clients can build a chain up to a valid root without an intermediate (with aid of cached intermediates from other sites for example), it's recommended to configure your webserver to send the correct intermediate.

See the chain info from openssl s_client -connect lenim.myown-it.com:443:

CONNECTED(00000003)
depth=0 CN = lenim.myown-it.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = lenim.myown-it.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:CN = lenim.myown-it.com
   i:C = US, O = Let's Encrypt, CN = R3
---
(...)

Please consult the documentation of ACMEfetch on how to handle intermediate certificates.

2 Likes