0

I recently bought an SSL certificate (positiveSSL).

I configured NGINX to work with it.

I can go to the https:// version of the site, and Chrome declares that the certificate is "valid and trusted".

However, command line programs say the opposite. These problems happen if I invoke the commands on the server or from a separate host. The commands are invoked from update versions of Ubuntu.

wget

# wget https://example.com
ERROR: The certificate of ‘example.com’ is not trusted.
ERROR: The certificate of ‘example.com’ doesn't have a known issuer.

When wget is run on the server, the error message is:

ERROR: cannot verify example.com's certificate, issued by ‘CN=Sectigo RSA Domain Validation Secure Server CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB’:
  Unable to locally verify the issuer's authority.

links

"The server example.com doesn't have a valid certificate. Do you want to connect to it anyway?"

lynx

"SSL error:The certificate is NOT trusted. The certificate issuer is unknown. -Continue? (n)"

curl

root@example:/etc/nginx# curl -I https://example.com
curl: (60) SSL certificate problem: unable to get local issuer certificate```

How can I get these command line programs to trust the certificate?
Jesse Hogan
  • 101
  • 3
  • Did you add the full chain to `nginx` or just the end-entity certificate? – garethTheRed Jan 02 '21 at 19:51
  • 1
    Check your site with [SSLLabs](https://www.ssllabs.com/ssltest/analyze.html). It will likely show "chain issues" because it is missing intermediate certificates. Browsers will often successfully work around such problems, tools like curl etc don't. This problem should be fixed at the server. – Steffen Ullrich Jan 02 '21 at 20:09
  • Hi @garethTheRed. In the NGINX site config file, I referenced the .crt and (private) .key file I received frame namecheap. I will have to Google "full chain"; I'm not familiar with that phrase. – Jesse Hogan Jan 02 '21 at 20:13
  • Hi @SteffenUllrich, SSLLabs say "Chain issues: Incomplete". – Jesse Hogan Jan 02 '21 at 20:16
  • 1
    @JesseHogan: Exactly this was expected. You did not provide the full certificate chain in your server configuration. You might better follow the [instructions from namecheap](https://www.namecheap.com/support/knowledgebase/article.aspx/9419/33/installing-an-ssl-certificate-on-nginx/) about how to configure nginx, specifically the part about combining the files. – Steffen Ullrich Jan 02 '21 at 20:23

0 Answers0