Fixing An OpenSSL Intermediate Chain With Sectigo and PositiveSSL

I decided to add prometheus metrics to Andrew, my web server.

To display them, I signed up for grafana cloud. I assumed I'd be able to point their prometheus instance at my unauthenticated metrics endpoint. How wrong I was; you must either use Bearer tokens or Basic Auth.

That's fair enough. So I thought I'd just use an agent to scrape and push. Grafana likes grafana alloy, so I figured I'd give it a shot.

It hates my ssl certificate.

Checking into its complaint, it's right.


; openssl s_client -connect playtechnique.io:443 -showcerts
...redactions-for-clarity...
Verify return code: 21 (unable to verify the first certificate)
...redactions-for-clarity...

I assume this is the dreaded intermediate certificate problem.

It's dreaded because I've fixed it a dozen times and can never remember the right bloody technique.