How to use an intermediate certificates with mojolicious

Question

Mojolicious lets me specify an ssl certificate and key when starting the app:

> ./myapp.pl prefork --listen 'https://*:8485&cert=my.crt&key=my.key'

I am trying todo this with a rapidssl certificate. Connecting to this service results in wget being rather unhappy:

$ wget https://example.com:8485/
--2016-06-22 09:50:49--  https://example.com:8485/
Resolving example.com (example.com)... 1.3.2.4
Connecting to example.com (example.com)|1.3.2.4|:8485... connected.
ERROR: cannot verify example.com's certificate, issued by `/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3':
  Unable to locally verify the issuer's authority.
To connect to example.com insecurely, use `--no-check-certificate'.

No big surprise, since when using rapidssl certs in other applications I have to specify an intermediate certificate as well. So I tried to add this here too by concatenating the intermediate cert to the site certificate, but this has no influence on the outcome.

I also tried to put the intermediate certificate along with the root cert into a separate file and start with:

> ./myapp.pl prefork --listen 'https://*:8485&cert=my.crt&key=my.key&ca=myca.crt'

but the result was equally uninspiring:

error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

please advise.

Answer 1

If you want the server to send not only the leaf (servers) certificate but also any other (intermediate) certificates to the client then you simply add these to the cert file in the correct order. This means your my.crt should look like this

----BEGIN CERTIFICATE-----
MII... the leaf certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MII... the first intermediate certificate, i.e. the one which signed the leaf cert
-----END CERTIFICATE-----
...