View Ticket
Ticket Hash: 8d79a6910690db6487dbe4771f3264f95771e484
Title: TLS cert chain incomplete
Status: Open Type: Incident
Severity: Important Priority:
Subsystem: Resolution:
Last Modified: 2024-10-12 13:21:50
Version Found In:
User Comments:
anonymous added on 2024-10-12 13:21:50:
$ fossil clone https://chiselapp.com/user/rkeene/repository/flint flint.fossil
Unable to verify SSL cert from chiselapp.com
  subject:   CN = chiselapp.com
  issuer:    C = US, O = Let's Encrypt, CN = R11
  notBefore: 2024-10-07 03:41:38 UTC
  notAfter:  2025-01-05 03:41:37 UTC
  sha256:    2d654f473bb6291c1b0f79ee2cae8b75be64f3a6e2dcec221f44982f72b6dc80
$ curl -v https://chiselapp.com
* Host chiselapp.com:443 was resolved.
* IPv6: 2607:f1c0:800:8902:68e8:7a3f:2812:3fc0
* IPv4: 74.208.229.64
*   Trying [2607:f1c0:800:8902:68e8:7a3f:2812:3fc0]:443...
* Connected to chiselapp.com (2607:f1c0:800:8902:68e8:7a3f:2812:3fc0) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* OpenSSL/3.0.14: error:16000069:STORE routines::unregistered scheme
* closing connection #0
curl: (35) OpenSSL/3.0.14: error:16000069:STORE routines::unregistered scheme

I think the problem may be that Let's Encrypt now selects a random intermediate issuer on each renewal, so you must have the web server update this every time instead of using a hard-coded chain? https://letsencrypt.org/2024/03/19/new-intermediate-certificates/

https://www.ssllabs.com/ssltest/analyze.html?d=chiselapp.com&s=74.208.229.64