We use an SSL checker to debug our certificate installation. We've used an SSL certificate for quite some time now without any issues, until a week or two ago.
Only some requests will throw an SSL verification error, caused by missing intermediate certificates. I've exported the certificate file (.pfx) all over again, making sure to export the certificate path/chain as well (as explained in this answer), but the errors continue to occur. I've confirmed with the DigiCert Util that the intermediate certificates are included in the .pfx file.
Browsers don't have any problems accessing the site and verifying the SSL certificate, but programmatic connections only sometimes fail, and so do SSL checking utilities.
For example, running this piece of Python:
for i in range(0, 20):
requests.get('https://........com')
results in a random number of successful requests and one that fails with the following exception:
requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)
The Azure Web App is running as 1 Standard Small instance.
I'm starting to think that the server is not returning the proper certificate for all requests, but these failed requests don't show up in any of the server logs. I hope someone can help me figure this one out!
[Update] I've collected Wireshark captures of the successfull and failed requests. You can clearly see that sometimes one of the certificates is missing. Which is odd, because I uploaded only one certificate to Azure. See the image below. I hope it helps figuring this out.
Here's our Azure certificate setup, which clearly shows there is only 1 certificate available for IIS to return:
