Hi there!

Bug Report

Fly CLI was reporting that our x509 cert was signed by an unknown authority. Visiting the CI in any browser worked fine.

We then noticed that there is an intermediate CA certificate that the browsers were able to pick up from our system - which the fly cli did not. We're filing this issue since curl succeeded so I'd imagine fly would utilize the same set of ca certs.

A work around was to configure our atc_tls.certificate to contain both the cert and the intermediate CA.

The following can also be handy:

• Concourse version: 3.10.0
• Deployment type (BOSH/Docker/binary): BOSH
• Infrastructure/IaaS: GCP
• Browser (if applicable): All browsers work