tlsctl save doesn't always process the full chain
I'm testing the most recent master build and I'm not getting the full chain being downloaded.
gitlab.com works as expected:
~/Downloads/build$ ./tlsctl-linux-amd64 save --url https://gitlab.com
INFO[0000] Save CAChain path=data/gitlab.com/CAChain.crt
INFO[0000] Save cert file path=data/gitlab.com/2180922574754299852229941692052659812 serial=2180922574754299852229941692052659812 subject="CN=about.gitlab.com"
INFO[0000] Save cert file path=data/gitlab.com/162381399334300351237757892920061450013 serial=162381399334300351237757892920061450013 subject="CN=GlobalSign Atlas R3 DV TLS CA H2 2021,O=GlobalSign nv-sa,C=BE"
INFO[0000] Save cert file path=data/gitlab.com/4835703278459759426209954 serial=4835703278459759426209954 subject="CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign"
My GitLab does not.
~/Downloads/build$ ./tlsctl-linux-amd64 save --url https://git.watertower
INFO[0001] Save CAChain path=data/git.watertower/CAChain.crt
INFO[0001] Save cert file path=data/git.watertower/4111 serial=4111 subject="CN=gander.watertower,OU=general,O=watertower,L=Bournemouth,ST=England,C=GB"
~/Downloads/build$ diff ./data/git.watertower/4111 ./data/git.watertower/CAChain.crt
27c27
< -----END CERTIFICATE-----
---
> -----END CERTIFICATE-----
\ No newline at end of file
But there's definitely a second cert in the chain:
~/Downloads/build$ echo | openssl s_client -connect git.watertower:443 -showcerts 2>/dev/null
CONNECTED(00000005)
---
Certificate chain
0 s:C = GB, ST = England, L = Bournemouth, O = watertower, OU = general, CN = gander.watertower
i:C = GB, ST = England, O = watertower, OU = pki, CN = sign20190513.pki.watertower
-----BEGIN CERTIFICATE-----
MIIEjDCCAnSgAwIBAgICEA8wDQYJKoZIhvcNAQELBQAwaDELMAkGA1UEBhMCR0Ix
EDAOBgNVBAgMB0VuZ2xhbmQxEzARBgNVBAoMCndhdGVydG93ZXIxDDAKBgNVBAsM
A3BraTEkMCIGA1UEAwwbc2lnbjIwMTkwNTEzLnBraS53YXRlcnRvd2VyMB4XDTIx
(snip)
rDyd+vmedjH4IHEr8p5MWZTfnTvGamV7kAasXZAOdSeZkT17+MohRIpGq/EI6ykX
CUuuJJh7P4Ue+KvoE6aT+HJUgw+nbwUPKjjBQ4ca0TWGR/Z4czYd6/UkxE1w0Z7X
aaDguay+eK+CYxNvrGKLLw==
-----END CERTIFICATE-----
1 s:C = GB, ST = England, O = watertower, OU = pki, CN = sign20190513.pki.watertower
i:C = GB, ST = England, L = Bournemouth, O = watertower, OU = pki, CN = root20190513.pki.watertower
-----BEGIN CERTIFICATE-----
MIIFyDCCA7CgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwfjELMAkGA1UEBhMCR0Ix
EDAOBgNVBAgMB0VuZ2xhbmQxFDASBgNVBAcMC0JvdXJuZW1vdXRoMRMwEQYDVQQK
DAp3YXRlcnRvd2VyMQwwCgYDVQQLDANwa2kxJDAiBgNVBAMMG3Jvb3QyMDE5MDUx
(snip)
CCN7sXOV7oenYCBzaLAFUGiTDBFQC295oCq1TiJnQYZJjEUjAPO9/wFpK0QD0RQ6
1ucUXhnzb9NIkagte+wHWbuFZH9VpTs6cJ8j9CSqVmzQzt6XlS221g+ylR33kXsu
Ggpwxq36+qjknUs3+6JC0Qdck+ejKVwTMrWd9yZ/gK/SSMayJnWTPD4IFkQ=
-----END CERTIFICATE-----
---
Server certificate
subject=C = GB, ST = England, L = Bournemouth, O = watertower, OU = general, CN = gander.watertower
issuer=C = GB, ST = England, O = watertower, OU = pki, CN = sign20190513.pki.watertower
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3217 bytes and written 396 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---