This question is fairly open ended because frankly I'm not an expert in SSL certificate and it is effecting code in multiple languages. It may not even be a "code" issue and more of an infrastructure problem but at this point I just need someone to point me in the right direction. I have recently been issued certificates by my IT department for internal services on a private network. I'm using Nginx to listen on 443 and redirect 80 to 443. Everything seems to work perfectly fine in Chrome, but when switching to Firefox problems start to appear. Firefox treats the site like it is a self-signed certificate where you need to give it explicit instruction to ignore. The issue doesn't end there however, my Chef cookbooks are now failing on any spot where one of my internal services is accessed (API, File Copy, etc) with the following sorts of errors:
================================================================================
Error executing action `create` on resource 'remote_file[Download Installer]'
================================================================================
OpenSSL::SSL::SSLError
----------------------
SSL Error connecting to http://service.domain.com/download/client - SSL Error connecting to https://service.domain.com/download/client - SSL_connect returned=1 errno=0 state=error: certificate verify failed
I'm seeing this same sort of error with Ruby and NodeJS libraries. I've been able to work around it for the most part by setting the libraries to ignore untrusted but thats a temporary fix. I need to understand why this is happening. Is my certificate authority not set-up correctly and do I need to ask the IT guys to change some configuration? Do I need to copy a cert down to every single machine that needs to access these HTTPS services? Why does Chrome work fine? I've searched on my local machine for a cert I may have locally that is causing me to get false positives with the Chrome testing but I don't have anything locally that should have any effect. Chrome seems to be resolving the CA over the network? (This is how I assumed this worked) Any help is greatly appreciated, Thank you.
Every client which should use this connect to the hosts using the internal CA must trust this CA. My guess is that the admins made sure that the CA is included in the windows trust store on all machines since this can be easily done with a policy. But, neither Firefox nor Ruby nor NodeJS nor Java (nor various other tools) use the Windows trust store but they have their own. Thus the local CA must be included in all of these trust stores too.