Why do some SSL clients need a full certificate chain and others don’t? [duplicate]
I was setting up a private docker repository and by mistake, I included the server certificate without a full certificate chain.
I can access the repository (https://privserver1.64hosts.com:5004/
) with Chrome, and Chrome reports the SSL certificate to be valid and shows the entire certificate chain.
But trying to access the same repository using docker login privserver1.64hosts.com:5004
- enter any username/password), I am getting an error x509: certificate signed by unknown authority
.
When I try openssl s_client -showcerts -connect privserver1.64hosts.com:5004
, it also reports being unable to verify the certificate.
OTOH, curl https://privserver1.64hosts.com:5004
somehow manages to verify the certificate.
All clients are running on the same Windows machine, so it's not a matter of different CA certificates installed on different client machines.
The problem is easily resolved by using a certificate with the whole chain included, but I wonder, why do some SSL clients (docker, openssl) require a full certificate chain on the server and others (Chrome, curl) do not? An SSL connection is an SSL connection, why the difference?