My web server is set up to force HTTPS, as in the future I'm working on projects that involve transfer of user data so encryption will be needed. But for now I'm just testing things out. Unfortunately I've got an issue I can't seem to figure out no matter what I try!
I'm using a custom server engine (written in C for maximum speed of course!), the SSL is implemented using openssl installed on the latest Ubuntu Server. I can provide some code if that's relevant, but the thing is... It works 100% perfectly in Chrome, Edge, and Firefox, tested on everything from PC, Mac, Android, even my old iPhone. All have no issues negotiating to TLS 1.2 AES.
But there are two things in particular that don't work. One, CURL, which seems to fail with this obscure SSL-related error "(60) SSL certificate problem: unable to get local issuer certificate", and oddly, my Smart TV, LG B8 OLED, which has a certificate error as well and suggests double-checking the date/time settings, which are correct.
Here's the web address if anyone wants to test: https://forestfire.net
That message is the same as the X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY error documented here:
https://www.openssl.org/docs/manmaster/man3/X509_STORE_CTX_get_error.html
the issuer certificate could not be found: this occurs if the issuer certificate of an untrusted certificate cannot be found.
Typically when you configure your server you need to set up the server's own certificate plus any required intermediate certificates in the certificate chain (these are the "untrusted" certificates referred to above). On the client side you need the list of trusted CA certificates.
You could get this error if your list of intermediate certificates in the certificate chain is missing or incorrect in some way, or if the client does not have the CA for the top of the "untrusted" chain in its trust store.
You can get different behaviour between different clients if those clients have different certificates in their trust store. For example the browsers may have some of the intermediate certificates cached and therefore can complete the chain even though the server does not present them.