IDX20803: Unable to obtain configuration from: 'https://{custom domain}/.well-known/openid-configuration'

IDX20803: Unable to obtain configuration from: 'https://{custom domain}/.well-known/openid-configuration'.

I am getting the IDX20803 error when trying to call a dotnet api from an Angular application. I fully control both the api and app and have everything working as it should in a development environment. The custom domain login page works, redirects back into the app as it should and I am able to use the API as expected based on scopes/permissions.

When I deploy off of the development box and onto a production server environment I am able to log into the application just fine however when I attempt to call the API I get a 500 http response and an exception containing the error in the api logs.

At first the error was System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'System.String' but after setting IdentityModelEventSource.ShowPII = true in the dotnet api I got a much more meaningful error.

I have managed to trace this back to a problem with the ssl certificates. I am not using self-signed certs, I have a wildcard for the domain that seems to be working correctly. Browsers do not detect any error and a curl request works fine when I connect to a domain with my certs. Browsers do not detect any problems with the cert at the custom domain but a curl request to it fails with curl: (60) SSL certificate problem: unable to get local issuer certificate.

I download the root cert and manually installed it into ca-certificates and now curl requests work but I still get the error calling the API.

I’m out of ideas and all the google links are purple. Has anyone else ran into this? How did you fix it?