I cannot curl https://example.com (on some distros)
3 months ago
- #SSL
- #NixOS
- #Cloudflare
- Encountered SSL certificate issues when trying to curl https://example.com on NixOS, with error 'certificate rejected'.
- Investigation revealed the certificate chain links to a deprecated root CA 'AAA Certificate Services', which browsers can bypass but OpenSSL cannot.
- Different Linux distributions handle the certificate chain differently, with Debian working fine while Arch Linux and NixOS fail.
- NixOS specifically marks 'AAA Certificate Services' as untrusted for server authentication, only allowing it for email protection.
- Suggests Cloudflare or users should update their certificate chains to avoid compatibility issues with newer systems adhering to updated policies.