SSL certificate error
If you experience SSL certificate issues like:
- certificate has expired
- unable to get local issuer certificate
these actions should be asked for
Ensure no outdated certificate is in the truststore
Outdated certificates cause issues with node/openssl, so please check each single certificate in the truststore.
Ensure the full chain is in the truststore
Node/openssl require to have the full chain of certificates in the truststore. All intermedia also ca certificates must be in the truststore, otherwise node/openssl will reject the certificate.
Ensure the correct and up-to-date certificates are in the truststore
Tools like KeyStore Explorer have their own truststore, which might be outdated. So if you use that one and the server does not return the full chain of certificates, then Keystore Explorer for example will display the trust chain of the possible outdated trust chain. To retrieve the most current trust chain browsers are more reliable. The best and correct solution is, to get the trust chain from the service provider directly using a trustable contact and channel.
So please check each single certificate and their certificate chains in the truststore
To investigate the SSL certificates returned by the server itself , these openssl commands might be helpful
openssl s_client -connect HOSTNAME:443 -servername HOSTNAME < /dev/null 2>/dev/null | openssl x509 -text
openssl s_client -connect HOSTNAME:443 -servername HOSTNAME < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout
openssl s_client -connect HOSTNAME:443 -servername HOSTNAME < /dev/null