SSL证书和cURL：证书捆绑还是不受信任的证书？

Question

We have a webapp which fetches XML files to validate against an XML schema. The app runs on an Ubuntu server which was set up some years ago.

There is an issue where cURL-ing a given domain fails because it was the certificate cannot be verified. I'm hearing conflicting things about if the problem is on our side, or if it is an issue that we should contact the client to resolve.

For example, using cURL gives:

(pyenv)vagrant@precise64:~$ curl "https://example.com"
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

I have tried to research what could be wrong This SSL checker says that the certificate authority (CA) may not be trusted in some browsers:

The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate.

I then tried the URL in several browsers using browserstack with the predicted mixed results - the request works on some browsers, fails on others.

Basically I'm not sure if we should...

1. Find some way of updating the 'certificate bundles' on our server. If this is even best practice?
2. Telling the people at example.com that the problem is at their end and they need to get a fully trusted certificate

The discounted options:

3. Installing the certificate for example.com only <- Discounted as this does not seem sustainable if other sites have the same issue
4. Turning off SSL verification on the app <- Discounted as this is insecure and not good practice - even for an XML schema validator

Answer 1

Looking at the report from SSLLabs for ngoaidmap.org shows:

Chain issues Incomplete

This means that the server is not setup properly because it is not providing the necessary intermediate certificate. Desktop browsers often can work around this problem by downloading missing certificates or using cached certificates, but outside of the browsers the validation will fail. Which means mostly option 2:

Telling the people at example.com that the problem is at their end and they need to get a fully trusted certificate

Telling the people to fix their server is correct. But the problem is not that they need to get another certificate but that their server must provide the missing intermediate certificate too. Best point them to the SSLLabs report because they better should also fix all the insecure things noted in this report.

Answer 2

i cannot tell how curl behaves within a linux environment here. under windows providing a ca-bundle with the relevant subset of root CAs solves this issue - you may try this by providing the bundle using the suggested --cacert option.

a usefull bundle is available here: https://curl.haxx.se/docs/caextract.html

edit: according to the answer from steffen ulrich i digged into using openssl. you may check this yourself

openssl s_client -showcerts -connect ngoaidmap.org:443

the response indicates that the delivered certificate contains the actual server certificate but is missing the cert of the intermediate ca (which is required for full offline validation of the certificate chain).

Certificate chain 0 s:/CN=*.ngoaidmap.org i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3 <= here should be the cert for the intermediate ca (which is not part of ca-bundle)

on the server side this can be easily achieved by combining the delivered cert.