debian – Debug CA certificates issue – DigiCert GlobalRoot CA

There is something wrong, with the way, my Linux machine checks the certificate chain, and I’m unable to debug it

Two hosts, that are currently affected, where i’ve tested the issue

Both have the same issue, according to SSLLabs (server’s certificate chain is incomplete, grade capped to “B”)

I’ve verified that DigiCert GlobalRoot CA is correctly installed in my /etc/ssl/certs (both manually configured using dpkg-reconfigure ca-certificates and update-ca-certificates --fresh). I’ve also verified, that the local serial/fingerprint matches the remote

However i’m unable to connect to these hosts from apt/git, in both cases encountering same symptoms (Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown. Could not handshake: Error in the certificate verification.). APT won’t download the repo files obviously, git will fail to download the repository.

I’ve tried to get to the root, using openssl s_client -connect and in both cases OpenSSL reported issue 21 (Verify return code: 21 (unable to verify the first certificate)), full command run is listed below

I’ve also tried to get the missing intermediates, however that does not resolve the issue.

Is the problem at my side (and I suspect it is) or are both of these servers misconfigured, and I’m simply hitting the security pre-measures in my distro (Debian Buster/Bullseye) ?