Why doesn't my leaf certificate validate against the root CA only

Question

I created a root CA and intermediate CA, then used the intermediate to sign a leaf cert, for the purpose of enabling SSL on various web servers in an internal network.

I'm trying to figure out if I need to distribute both the root and intermediate CA certs in my client truststores, or if I can get by with only distributing the root, as explained in: Do I put my subordinate (intermediate) or root CA certificate in my truststore?

Doing a quick test with curl against an https endpoint with a leaf cert, signed by the intermediate, it appears I need the full chain, e.g.:

curl --cacert chain.crt https://my-endpoint:8080/

When I tried with only the root CA, I got an error:

curl --cacert root.crt https://my-endpoint:8080/
curl: (60) SSL certificate problem: unable to get issuer certificate

Why do I need to provide curl the full chain instead of only the root CA? Do I need to create leaf certs with a special option to embed the full chain?

Edit: another answer that indicates I should only need the root: https://security.stackexchange.com/a/83875/117515

Edit 2: the webserver I'm testing against happens to be Vault – not sure if that's relevant but perhaps there's something wrong with the way that server is presenting its certificate; it needs to serve the full chain, right? How do I verify that it is or isn't serving the full chain?

Answer 1

Why do I need to provide curl the full chain instead of only the root CA?

In order to build the trust chain the client has to know the intermediate certificate somehow. Usually this is done by sending both the leaf certificate and the intermediate certificate in the TLS handshake but it is a common error in server configuration to send only the leaf certificate. This is probably the problem in your case too.