Check certificate chain of trust using OpenSSL

Sometimes when you get an error like this:

Unable to Verify first certificate

Then the error you are seeing is due to the server not being able to verify your certificate’s chain of trust. From the domain you have shown there, looks like your certificate bundle does not have a Digicert intermediate certificate installed in your server. Meaning, when verifying the chain of trust, your server certificate gets validated from intermediate CA, and intermediate CAs certificate gets validated from rootCA. FYI, This is known as the certificate chain of trust and building block for HTTPS.

When you issue or buy certificate from any CA, you will get 3 certificate, rootCA cert, intermediateCA cert and domain certificate. You need to create a bundle of those certificate using this command

cat rootCA.crt server.crt intermediate.crt >> bundle.crt.

Then, if you are using NGINX for reverse proxy then add the configuration in your NGINX configuration file i.e /etc/nginx/sites-available/<configuration file>

ssl_certificate …./…/bundle.crt
ssl_certificate_key <Private key>

Private key is issued using CSR request to the certificate provider. DO NOT DO IT TWICE, they might charge you again. Once it’ s installed you can move forward to check certificate status.

You can check the certificate chain of trust using following command.

openssl s_client -connect example.com:443 -servername example.com

and also using the header using curl

curl -v https://example.com

Once your certificate is installed and configured, you can go to following URL to see, if your certificate chain of trust of verified or not.

https://www.digicert.com/help/

A word of advice, If you are using free SSL from cloud flare then do not use it as cloud flare does not install SSL to your server, rather certificate is installed in the edge server. If you want full SSL encryption to your server, use certificate providers like LE. That way traffic is encrypted up to your server and to the LB.

--

--

--

DevOps / SRE Engineer. Blog: 99devops.com System admin turned SRE. I love Linux.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

The future of WordPress: Visual Scripting

Kubernetes api gateway

Quickly Add TLS and Basic Security to Kibana #

Why Are The Modern Organizations Betting On PHP For Business Critical Application Development?

My first ruby CLI Data Gem Project

Dissecting C++ Part 2 : Compiler

Smile Detection using Python and Arduino :)

Why You Should Learn Something Besides Python

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Prabesh Thapa

Prabesh Thapa

DevOps / SRE Engineer. Blog: 99devops.com System admin turned SRE. I love Linux.

More from Medium

A step-by-step guide to web development/building for beginners (Part 2)

What’s the Difference Between Dedicated Server and Cloud Servers?

Update time! Introducing some easy and powerful new features 💪

Create And Publish Custom Beat Saber Mapper