TLS Certificate Issue

[NebulaMods]

Hello,

It seems after providing the TLS cert, TLS private key, and TLS chain some web clients seem to fail to verify the certificate. The domain in question is orbitalsolutions.ca, and I don't see anything in the logs showing an issues related to TLS.

[vicanso]

Please show me more curl log. curl -v 'https://baidu.com'

[NebulaMods]

@vicanso

*   Trying 142.44.241.201:443...
* Connected to orbitalsolutions.ca (142.44.241.201) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

[vicanso]

I found that curl 7.81.0 is ok, but curl 7.74.0 fail.

[NebulaMods]

What do you suggest as a solution? I believe the issue is solved by the client using AIA, but this can't be expected by all clients.

[vicanso]

What is the version of your system? Is is relatively old? And you can see the test results of ssllabs.

https://www.ssllabs.com/ssltest/analyze.html?d=orbitalsolutions.ca

[atinm]

Is the certificate chain misconfigured or incomplete so the client has to go to the AIA endpoint? It looks like it is missing an intermediate cert so it is up to the client to pull it. Are you using transparent or reverse proxy?

[NebulaMods]

@vicanso ssllabs shows it is successful only on system's that use AIA. If you use any other ssl checker it will report an error.

@atinm I am using the full chain bundle given directly from ssl2buys, and it works fine when used on nginx for some reason.

[atinm]

I am not sure how the server makes a difference since this is client side that has to pull from the AIA endpoint if intermediate certs are missing as is the case here. If you look at the openssl -connect output, the server is returning two certs in the chain. The intermediate cert that is missing is pulled by the browser from the AIA endpoint before it does the verification.

[NebulaMods]

Nginx is giving the correct chain to the client, while Pingap is not... That is why AIA is needed. This is what I provided to Pingap and Nginx https://help.configuressl.com/primessl-ca-bundle-rsa-dv-root-e46/ as the fullchain, so it should be working fine yet it isn't.

[atinm]

What does echo "" |openssl s_client -showcerts <insert your server here>:443 | openssl crl2pkcs7 -nocrl -certfile /dev/stdin | openssl pkcs7 -noout -print_certs -text
show?

echo "" |openssl s_client -showcerts orbitalsolutions.ca:443 | openssl crl2pkcs7 -nocrl -certfile /dev/stdin | openssl pkcs7 -noout -print_certs -text shows only two certs, so is missing the intermediate and has to be pulled from the AIA from what I understand.

[vicanso]

Nginx is giving the correct chain to the client, while Pingap is not... That is why AIA is needed. This is what I provided to Pingap and Nginx https://help.configuressl.com/primessl-ca-bundle-rsa-dv-root-e46/ as the fullchain, so it should be working fine yet it isn't.

Do you try to use only chain certificate?