There is something wrong, with the way, my Linux machine checks the certificate chain, and I'm unable to debug it
Two hosts, that are currently affected, where i've tested the issue
- repo.fortinet.com (debian/ubuntu repository for apt/deb) ssllabs report
- code.gov.cz (our local gov gitlab instance) ssllabs report
Both have the same issue, according to SSLLabs (server's certificate chain is incomplete, grade capped to "B")
I've verified that DigiCert GlobalRoot CA is correctly installed in my /etc/ssl/certs
(both manually configured using dpkg-reconfigure ca-certificates
and update-ca-certificates --fresh
). I've also verified, that the local serial/fingerprint matches the remote
However i'm unable to connect to these hosts from apt
/git
, in both cases encountering same symptoms (Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown. Could not handshake: Error in the certificate verification.). APT won't download the repo files obviously, git will fail to download the repository.
I've tried to get to the root, using openssl s_client -connect
and in both cases OpenSSL reported issue 21 (Verify return code: 21 (unable to verify the first certificate)), full command run is listed below
I've also tried to get the missing intermediates, however that does not resolve the issue.
Is the problem at my side (and I suspect it is) or are both of these servers misconfigured, and I'm simply hitting the security pre-measures in my distro (Debian Buster/Bullseye) ?