Thanks for the information & link for enhancement request.
#### ####
I found this error message in the API GW logs (enabled verbose logging)
I have seen this issue for Google Apps (GCP) connector as well; and resolve it with the intermediate public root CA certificates as a "trusted anchor".
I have up voted your enhancement request.
#### Details using openssl to trace #####
config@vapp0001 VAPP-14.1.0 (192.168.242.146):~ > openssl s_client -connect googleapis.com:443 -showcerts | grep -e "subject" -e "issuer" -e "s:" -e "i:"
depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN =
www.google.comverify return:1
0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=www.google.com
i:/C=US/O=Google Trust Services/CN=GTS CA 1O1
1 s:/C=US/O=Google Trust Services/CN=GTS CA 1O1
i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
subject=/C=US/ST=California/L=Mountain View/O=Google LLC/CN=www.google.com
issuer=/C=US/O=Google Trust Services/
CN=GTS CA 1O1
Verbose logging to trace SSL verification error message:
------------------------------
Sr. Principal Architect
------------------------------
Original Message:
Sent: 03-05-2018 04:17 AM
From: Stefan Klotz
Subject: Re: Trust-Store and Chain/Intermediate certificates
CA-support confirmed in the meanwhile that the described behavior is normal and that there is currently no option to workaround this. Based on this it makes no sense to import any Root-CAs or at least "higher" chain-certificates other than the direct issuer-certificates from the server-certificate.
To get this behavior changed I've raised the following idea.
Hope that could be changed asap.
Thank you!
Ciao Stefan