Establishing SSL Trust Between Servers

Avatar
Jay Clark
Follow

When a server attempts to connect to another secure server (such as Posit Workbench accessing a Posit Connect instance) over HTTPS, you might encounter one of the following SSL-related errors:

  • Unable to get local issuer certificate

  • Unable to verify the first certificate

These errors typically indicate that either:

  • The destination server is not serving the complete certificate chain, or

  • The origin server does not trust the chain that’s being presented.

This article walks through diagnosing the issue and resolving it using one of two common methods.

Reproducing the Error

To verify whether SSL trust is the issue, run the following commands from the origin server. (replace the domain with the actual target):

curl -v https://example.domain.xyz
openssl s_client -showcerts -connect example.domain.xyz:443

If either command fails with SSL errors, it’s a strong indicator that the root and/or intermediate certificates are not properly recognized or trusted.

Step 1: Obtain the Root and Intermediate Certificates

If you don’t already have the required certificates (full chain), you can retrieve them using any modern web browser:

  1. Navigate to https://example.domain.xyz.

  2. Click the padlock icon in the address bar.

  3. Select “Connection is secure” or similar.

  4. Click “Certificate is valid” to view the certificate chain.

  5. In the hierarchy, you should see:

    • The server (local) certificate

    • One or more intermediate certificates

    • The root certificate

  6. Export each certificate individually, or export the full chain if supported.

  7. With those exported certificates saved, continue to the next step.

Step 2: Choose a Resolution Path

Option 1: Update the Destination Server to Serve the Full Certificate Chain (Recommended)

This is the most scalable and preferred solution. The destination server should serve the complete certificate chain in the following order:

  1. Server (local) certificate

  2. Intermediate certificate(s)

  3. Root certificate

Concatenate the Chain

Create a single file with all certificates in order:

-----BEGIN CERTIFICATE-----
... (server certificate) ...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... (intermediate certificate) ...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... (root certificate) ...
-----END CERTIFICATE-----

Configure your destination server (e.g., Posit Connect) to use this file as the SSL certificate.

Related Docs: Nginx SSL Certificate Chains

Option 2: Add Certificates to the origin server CA Trust Store

If you cannot modify the destination server, manually add the certificates to the origin server’s trust store.

On RHEL-based systems:

  1. Place certificate files in:

    /etc/pki/ca-trust/source/anchors/

  2. Update the trust store:

    sudo update-ca-trust extract

On Ubuntu-based systems:

  1. Place certificate files in:

    /usr/local/share/ca-certificates/

  2. Update the trust store:

    sudo update-ca-certificates

Verification

After completing either method, retry the original test:

curl -v https://example.domain.xyz

If successful, the SSL error should no longer appear, confirming that the certificate chain is now trusted.

Additional Notes

This process is essential for environments where internal services communicate over HTTPS using private or self-signed certificates. Ensuring that each server trusts the other’s certificates helps maintain secure and reliable communication.

 

 

Comments