There is something wrong, with the way, my Linux machine checks the certificate chain, and I’m unable to debug it
Two hosts, that are currently affected, where i’ve tested the issue
Both have the same issue, according to SSLLabs (server’s certificate chain is incomplete, grade capped to “B”)
I’ve verified that DigiCert GlobalRoot CA is correctly installed in my
/etc/ssl/certs (both manually configured using
dpkg-reconfigure ca-certificates and
update-ca-certificates --fresh). I’ve also verified, that the local serial/fingerprint matches the remote
However i’m unable to connect to these hosts from
git, in both cases encountering same symptoms (Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown. Could not handshake: Error in the certificate verification.). APT won’t download the repo files obviously, git will fail to download the repository.
I’ve tried to get to the root, using
openssl s_client -connect and in both cases OpenSSL reported issue 21 (Verify return code: 21 (unable to verify the first certificate)), full command run is listed below
I’ve also tried to get the missing intermediates, however that does not resolve the issue.
Is the problem at my side (and I suspect it is) or are both of these servers misconfigured, and I’m simply hitting the security pre-measures in my distro (Debian Buster/Bullseye) ?