I was facing the same issue. Postman would complain about the “Unable to verify the first certificate” but if I load the URL via Chrome (or even my mobile app that we are developing), there is no SSL certificate errors.
As my API was hosted on Apache Tomcat (on Windows) & the SSL cert used was an exported SSL cert from IIS (PFX), it was apparently lacking the trust chain (root & intermediate certs).
I found that you could add it manually using openssl commands ( comprehensive guide HERE ) or you could just export your SSL cert via the Windows Certificate MMC. After you have the Certificate MMC opened:
- Navigate to Certificate > Web Hosting > Certificates and select your SSL cert
- Then right click and select “All Task” & “Export”
- Click “Next”
- Select “Yes, export the private key”
- Ensure it is “Personal Information Exchange - PKCS #12 (.PFX) and check
“Include all certificates in the certification path if possible” (this is the important item)
“Enable certificate privacy” - Click “Next”
- Check “Password” and type in a password and confirm the password (leave Encryption as “TripleDES-SHA1”) and click “Next”
- Select a folder & filename to export to
- Click “Finish” and a prompt will be shown saying that the export was successful
After that, copy and re-apply the newly export PFX to Apache Tomcat (in my case, I just overwrote the existing PFX and restarted Apache Tomcat for the new cert to take into effect). After that, the “Unable to verify the first certificate” is no longer seen. I could replicate the issue back if I exported the SSL certs from IIS directly. So, moral of the story, do not export your SSL certs via IIS but instead use the Windows Certificate MMC to export it.
Hope this helps someone out or at least point them to the right direction of missing root & intermediate certs in your SSL Cert.