This seems to be the result of two things:
- Postman doesn't trust the issuing certificate from Let's Encrypt
- Your ES node is configured to only send the leaf certificate in the SSL handshake
The background info is here
Let's encrypt has an offline root cert, and a separate issuing certificate. That's very normal for a CA.
But what it means is that, if you:
- Are using a tool (like Postman, or any other client) that trusts Let's Encrypt's root cert (technically, ISRG's root cert), but knows nothing of the issuing cert, and
- Your server has a cert issued by the Let's Encrypt issuer, but does not include a copy of that issuing cert
then, when you point that tool at the server, there's no way for the 2 of them to connect-the-dots. The chain is broken because neither the client or the server has a copy of the intermediate issuing certificate.
The tool trusts anything signed by ISRG, and the server has something that is signed by ISRG, but the only way to know that is if you have a copy of the Let's Encrypt issuing cert (R3).
I don't know if there's a way to change #1 (make Postman know about the LE issuing cert), but you can fix #2 by grabbing the issuing cert (R3) from Let's Encrypt and adding it to the cert chain in your ES instance.
I assume your cert is signed by the R3 issuing cert from Let's Encrypt (there are other possibilities, but they're very unlikely). You can grab that cert from here
To tell ES to use it, you just append it to the existing .crt file you're using.
Here's what you could do on a Linux server.
It looks like you're using Windows, so you'll need to make some adjustments for your needs.
# Get the R3 cert from let's encrypt
curl -o ./lets-encrypt-r3.pem https://letsencrypt.org/certs/lets-encrypt-r3.pem
# Check that it downloaded correctly and looks like a PEM file with a
# -----BEGIN CERTIFICATE-----
# header, etc.
cat ./lets-encrypt-r3.pem
# Add it to the end of your cert chain
cat ./lets-encrypt-r3.pem >> config/certs/mydomain.com-crt.pem