linux – Server isn’t sending intermediate certificates correctly

Trying to connect with SSL to another host via a VPN-tunnel, using a self-signed certificate that was issued by a trusted third party. The certificate consists three certificates: 1 certificate, 2 intermediate-certificate, 3 root-certificate.

I have one server (SERVER1 from here on) where the connection works, and another (SERVER2) where it doesn’t.

SERVER1 (Works)

CentOS7, OpenSSLv1.1.1

I don’t remember installing the root/intermediate certificates here via this well-documented procedure. It just works.

(SERVER1)# openssl s_client -connect subdomain.mydomain.tld:443
CONNECTED(00000004)
depth=2 CN = ROOT.CA.0, OU = 0, O = OVC_TST, L = L_PARAMETER, C = NL
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=1 CN = Issuing.CA.WS.0, OU = 0, O = OVC_DAP, L = L_PARAMETER, C = NL
verify return:1
depth=0 C = NL, ST = PROVINCE, L = CITY, OU = IT, O = O_PARAMETER, CN = *.mydomain.tld
verify return:1
140423307978560:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1544:SSL alert number 40
---
Certificate chain
 0 s:C = NL, ST = PROVINCE, L = CITY, OU = IT, O = O_PARAMETER, CN = *.mydomain.tld
   i:CN = Issuing.CA.WS.0, OU = 0, O = OVC_DAP, L = L_PARAMETER, C = NL
 1 s:CN = Issuing.CA.WS.0, OU = 0, O = OVC_DAP, L = L_PARAMETER, C = NL
   i:CN = ROOT.CA.0, OU = 0, O = OVC_TST, L = L_PARAMETER, C = NL
 2 s:CN = ROOT.CA.0, OU = 0, O = OVC_TST, L = L_PARAMETER, C = NL
   i:CN = ROOT.CA.0, OU = 0, O = OVC_TST, L = L_PARAMETER, C = NL
---

SERVER2 (Doesn’t work)

Ubuntu20, OpenSSLv1.1.1

I installed the intermediate/root certificates here via this procedure (same URL as mentioned above). I installed the two certificates individually, and also tried merging them into one file and then installing it. All three tried certificate files verify correctly when doing “$openssl verify -verbose”.

I obscured any names/strings in these outputs, but made sure they are consistent with the actual output.

SERVER2:/usr/local/share/ca-certificates$ openssl s_client -connect subdomain.mydomain.tld:443
CONNECTED(00000003)
depth=0 C = NL, ST = PROVINCE, L = CITY, OU = IT, O = O_PARAMETER, CN = *.mydomain.tld
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = NL, ST = PROVINCE, L = CITY, OU = IT, O = O_PARAMETER, CN = *.mydomain.tld
verify error:num=21:unable to verify the first certificate
verify return:1
139668700611904:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1543:SSL alert number 40
---
Certificate chain
 0 s:C = NL, ST = PROVINCE, L = CITY, OU = IT, O = O_PARAMETER, CN = *.mydomain.tld
   i:CN = Issuing.CA.WS.0, OU = 0, O = OVC_DAP, L = L_PARAMETER, C = NL
 1 s:CN = Issuing.CA.WS.0, OU = 0, O = OVC_DAP, L = L_PARAMETER, C = NL
   i:CN = ROOT.CA.0, OU = 0, O = OVC_TST, L = L_PARAMETER, C = NL
 2 s:CN = ROOT.CA.0, OU = 0, O = OVC_TST, L = L_PARAMETER, C = NL
   i:CN = ROOT.CA.0, OU = 0, O = OVC_TST, L = L_PARAMETER, C = NL
---

The intention is to connect with a third party API on this host using CURL. CURL itself gives the following error: “error 60: SSL certificate problem: unable to get local issuer certificate”.

I have two more servers, besides these two mentioned here. Also CentOS7, Ubuntu20, same setup, with similar VPN tunnels. Here, both connections succeed. It is just this one ‘SERVER2’, that is not working.

After checking out various interesting sources, including: 1, 2, 3, 4, I still cannot find the solution. Could anyone point me in the right direction?