I have wildcard certificate (*.example.com
) from DigiCert
Have following files in the zip file from DigiCert portal
DigiCert Global Root G2.pem
DigiCertCA.crt
star_example_com.crt
TrustedRoot.crt
I combined these files into single file with base64
encoding (cat DigiCertGlobalRoot.pem DigiCertCA.crt star_rablighting_com.crt | base64
) and added to Traefik
IngressProxy.
All files are in PEM format which I have verified with this
openssl x509 -noout -in DigiCertCA.crt && echo $?
0
When I load https://dev.example.com in browser it works with no issue but when I try to do wget
I see following error
wget https://dev.example.com//images/logo.png
--2024-06-24 14:02:18-- https://dev.example.com//images/logo.png
Resolving dev.example.com (dev.example.com)... 10.100.8.232, 10.100.7.174, 10.100.6.183, ...
Connecting to dev.example.com (dev.example.com)|10.100.8.232|:443... connected.
ERROR: cannot verify dev.example.com's certificate, issued by ‘CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1,O=DigiCert Inc,C=US’:
Unable to locally verify the issuer's authority.
To connect to dev.example.com insecurely, use `--no-check-certificate'.
OR
openssl s_client -connect dev.example.com:443 -debug
...
...
depth=0 C=US, ST=New York, L=New York, O=example Inc, CN=*.example.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C=US, ST=New York, L=New York, O=example Inc, CN=*.example.com
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 C=US, ST=New York, L=New York, O=example Inc, CN=*.example.com
verify return:1
...
...
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2370 bytes and written 391 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)