I get that too. But the problem is not that the certificate has expired.
Visiting
chiselapp.com with a browser works fine and it shows that the
certificate is valid until Aug 22 2021.
The browser has its own set of CAs. But fossil uses the list of OpenSSL
CAs (unless the ssl-ca-location setting is configured). Running `openssl
s_client -connect chiselapp.com:443` also shows an error:
CONNECTED(00000003)
depth=0 CN =
chiselapp.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN =
chiselapp.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:CN =
chiselapp.com
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Some googling seems to suggest that the server is not sending the
complete chain:
https://medium.com/@superseb/get-your-certificate-chain-right-4b117a9c0fce
Quote: "Usually certificates are tested using a browser, visiting the
URL by going to
https://yourwebsite.com and see if it shows as green (or
if it’s not showing Not Secure in the latest version of Google Chrome).
Problem using this approach is that browsers tend to complete the chain
if it’s not sent from the server using their embedded certificate store
(or from the operating system). This means that even an incomplete chain
will show as valid in the browser. [...] If you try to connect to the
same URL using command line tools, it will fail"
This would be something for Roy to fix.
Schelte.