I’ve create a secure server in Perl using HTTP::Daemon::SSL on Windows 8.1 It works fine with Chrome and IE. It fails under Firefox – ISSUER UNKNOWN. I can append to the SSL_cert_file the issuer’s chain cert and Firefox can then connect. I’ve notice Firefox has no problems WITHOUT the issuer’s chain cert appended to the SSL_cert_file when using as a secure server Apache on Windows or Python on a Raspberry Pi. Is there any way to tell Perl’s HTTP::Daemon::SSL to fetch and serve the required chain certificate(s) without having to manually add them to SSL_cert_file?
There is no builtin way to make HTTP::Daemon::SSL automatically get the missing certificates. Also, your observation that such thing is done with Apache or Python is wrong. In general the server need to be properly configured to send the necessary certificates.
Some browsers can work around misconfigured servers and sometimes these workarounds work only in specific situations. For example Firefox will cache intermediate certificates it has seen and use these to fill in missing chain certificates in other connections later. But this will fail if the intermediate certificate was not seen before by Firefox which can be easily tried with a newly created profile. What you've saw with Apache and Python is likely the use of already cached certificates.
Some browsers can also use the CA Issuers attribute in the Authority Information Access extension of the certificate to download a missing certificate. I think Chrome can do this. But this will of course impact the load time of the page since the missing certificate need to be retrieved first from some other server.