This article describes the certificate verification failure when a WeChat mini-program accesses CDN.
The certificate verification fails when the WeChat mini-program of Android client sends an HTTPS request to CDN.
The intermediate certificate submitted is invalid.
Send an HTTPS request from the WeChat mini-program to CDN by using any other browser and check the certificate verification status. If the certificate verification is normal, check whether there is an error with the intermediate certificates.
Check whether the certificate chain is complete. If it is complete, it indicates that this issue is not caused by the certificate chain.
Check whether this issue is caused by SNI by capturing the access exception of WeChat on Android.
Send requests from the client to the server and check whether the server returns a Certificate Unknown error and throws a Reset packet after the client exchanges the certificate with the server. In addition, view the SSL requests from the client to check whether the SSL requests include SNI information. Test results are shown in the following figure.
An error is reported and an RST packet is sent after the client exchanges the certificate with the server.
The SNI information carried by the client.
Verify that the certificate returned by the CDN node server is also the certificate of this domain and that no exception is detected. The certificate returned by the CDN node server is shown in the following figure.
Verify that this issue is caused by the intermediate certificate error. You can use the export certificate function of the browser to export intermediate certificates. Follow the procedure shown in the following figure to download the intermediate certificates.