tls - verify error:num=21:unable to verify the first certificate - validating tls certificate for a target host

This command would do  

 openssl s_client -showcerts -connect incomplete-chain.badssl.com:443

Then you will be able to see there's some issue with the certificate chain

Then you get error like: 

verify error:num=20:unable to get local issuer certificate

verify error:num=21:unable to verify the first certificate

---------------------

Sometimes when trying to debug the issue, you need to hit the exact endpoint to get the error, for example if you're using curl 

curl -k https://www.myhost.com/api/v1/healthz

vs 

curl -k https://www.myhost.com

The error might come out for endpoint /api/v1/healthz and not the root host. 

Rip this command from Stackoverflow and really useful

echo "" | openssl s_client -connect www.google.com:443 -prexit 2>/dev/null | sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p'

And i get a chain of certificates as shown below

To validate this certificate, goto https://www.geocerts.com/certificate-decoder and then select "Certificate decoder" and paste this in. Unfortunately, it can only do it one at a home. 

echo "" | openssl s_client -connect www.google.com:443 -prexit 2>/dev/null | sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p' > server_cert.pem

Or 

echo "" | openssl s_client --showcerts -connect www.google.com:443 -prexit 2>/dev/null | sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p' > server_cert.pem

If you have the cer, you could try to run the following command 

openssl x509 -in server_cert.pem -text -noout