How to deal with reported TLS errors which are due to incomplete certificate chain

[sypets]

On my site, there are a number of possible TLS errors. Helpful is the curl error code (which is currently not displayed, but that's another issue).

Some of the errors are due to severe security problems. What makes this more difficult is that what the browser displays and if guzzle (or rather curl) returns with an error is different. In some scenarios curl returns an error, but the page is loaded fine in the browser - which may be confusing.

Here, we handle only the case of incomplete certificate chain. This is a less severe problem, though in an ideal world it should be fixed by the admin of the server.

Unfortunately, in my experience, this happens quite often. The problem is incomplete certificate chain, which leads to downgrade to B on SSllabs, but the browser displays no error message, but curl fails (unless intermediate certificate is downloaded) with errror code 60

curl -I https://www.dhm.de/lemo/bestand.html
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

https://www.ssllabs.com/ssltest/analyze.html?d=www.dhm.de

This server's certificate chain is incomplete. Grade capped to B.

---

see https://serverfault.com/questions/844071/cannot-get-curl-or-wget-to-validate-some-ssl-certificates

If you're not the admin of that server and want to fix that client side: download that intermediate certificate yourself and add it to the local trust store.

I think that missing intermediate certificates are a server misconfiguration that you shouldn't solve client side but please read up on how SSL works