Recently, I was setting up a nginx server, this nginx server is being used as a reverse proxy, to pass requests to backend servers.
The configuration file looks like this
This configuration file works well, I can use my browser to connect to my backend servers through nginx.
But when I tried to use
curl to fetch my site, warning message shows up, like this:
curl: (60) SSL certificate problem: unable to get local issuer certificate
Hmm, weird. Never see this message before. But where’s the problem?
I checked my browser, again. My browser works. I tried another server, same message appears.
After reading the warning, I thought maybe the problem is related to CA certificates that are storied in my computer.
I am using Let’s Encrypt for my SSL certs, so if I download a copy of their intermediate certificate, and put them into my computer, it would work, right?
No, it didn’t work.
What makes me more confused is, a friend of mine tried to
curl the same address, there weren’t any warning message on his computer.
I can’t figure out why, until I take a look at the folder which
Let's Encrypt stores certificate in.
There are four files in a folder, like this
OK, I know
privkey.pem, but what’s the difference between
fullchain.pem: This is the file contains both your certificate and intermediate certificates.
The problem is, when nginx respond to a HTTPS request with configuration above, it would only send your certificate back to client.
And the client won’t be able to verify the certificate, because you don’t have that certificate installed on your computer.
What you have in your computer is a bunch of
CA (certificate authorities). These
CA is responsible for distributing certificates, and if your client have these
CA, your computer can try to verify if the cert from the server is signed (distributed) by any CA in your computer.
But it didn’t always happen, sometimes your client won’t check, like above. So you need to provide more information about your certificates, so that’s why there’s the file
Change this line
Restart your nginx server, then use
curl to check again if it works this time.
If you encounter error related to
X.509, changing the
cert your web server provide may help. Just like above.