"tlsv1 alert unknown ca" error when using new SSL certificates

Question

I am configuring emqtt MQTT Broker with SSL/TLS certificates from Digicert. I had done the SSL configuration for the same broker some years back and it was fine. But when I configured the new broker installation with new certificates, I am getting "unknown CA" error.

This is the SSL settings:

mqtt.listener.ssl.keyfile = etc/certs/prod.key 
mqtt.listener.ssl.certfile = etc/certs/server.crt
mqtt.listener.ssl.cacertfile = etc/certs/DigiCertCA.crt

And this is the error I saw in the server logs:

[error] <0.27032.0> SSL: certify: ssl_alert.erl:97:Fatal error: unknown ca

Can this be an issue with the new CA certifcate? Maybe it requires more dependent certificates in chain?

UPDATE This appears to be an OS issue.I got the following error when I tested the certificates using "openssl verify" in the server:

error 2 at 1 depth lookup:unable to get issuer certificate

Verify is success on my local PC with the same command and same certificates

I updated the OS root certificates using "yum update ca-certificates", but still I am getting the same error

Answer 1

I found the root cause. Basically I had missed using one of the CA certificates in the chain. The CA certificate I had was not enough. So I appended the missing CA certificate to the CA file I was using. I just used 'cat' command for this.