1

I have wildcard certificate (*.example.com) from DigiCert

Have following files in the zip file from DigiCert portal

  1. DigiCert Global Root G2.pem
  2. DigiCertCA.crt
  3. star_example_com.crt
  4. TrustedRoot.crt

I combined these files into single file with base64 encoding (cat DigiCertGlobalRoot.pem DigiCertCA.crt star_rablighting_com.crt | base64) and added to Traefik IngressProxy.

All files are in PEM format which I have verified with this

openssl x509 -noout -in DigiCertCA.crt && echo $?
0

When I load https://dev.example.com in browser it works with no issue but when I try to do wget I see following error

wget https://dev.example.com//images/logo.png
--2024-06-24 14:02:18--  https://dev.example.com//images/logo.png
Resolving dev.example.com (dev.example.com)... 10.100.8.232, 10.100.7.174, 10.100.6.183, ...
Connecting to dev.example.com (dev.example.com)|10.100.8.232|:443... connected.
ERROR: cannot verify dev.example.com's certificate, issued by ‘CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1,O=DigiCert Inc,C=US’:
  Unable to locally verify the issuer's authority.
To connect to dev.example.com insecurely, use `--no-check-certificate'.

OR

openssl s_client -connect dev.example.com:443 -debug

...
...
depth=0 C=US, ST=New York, L=New York, O=example Inc, CN=*.example.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C=US, ST=New York, L=New York, O=example Inc, CN=*.example.com
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 C=US, ST=New York, L=New York, O=example Inc, CN=*.example.com
verify return:1

...
...

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2370 bytes and written 391 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
Improve this question
5
  • 1
    i believe you need to tell wget where to get the trusts (CA) certificates from, with an option like --ca-certificate={the_cert_file_path} (where you put the PEM files of the CAs you trust, who signed your certs)
    – olivierg
    Commented Jun 24 at 19:07
  • cert is provided by digicert, why cant wget able to verify publicly
    – rp346
    Commented Jun 24 at 21:51
  • 3
    Your server is not sending the chain cert(s). (You probably need only the one labelled DigiCertCA, unless your "Root G2" is really a bridge such as these logged ones which is unlikely.) Browers often work-around a missing chain using AIA and/or cache, but software like openssl wget curl nodejs python etc usually can't. Why Traefik is not sending the chain cert(s) that you gave it, I cannot help with.
    – dave_thompson_085
    Commented Jun 25 at 1:54
  • Are you sure your .crt is in the same format as the pem? If you are concatenating them they should all be in pem format (text). Don't trust the extension to tell you if it's der/pem/jks etc.
    – TheFiddlerWins
    Commented Jun 25 at 14:52
  • Yes all are in PEM format
    – rp346
    Commented Jun 28 at 11:56

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .