I call an Italian government web service to fetch company information.
IMPORTANT: I don't know when this started to fail (the service is rarely used in production)
it works without issues on Windows 11 x64 development laptop
There may be some differences in the certificates that are provided to clients based on network location due to CDNs and other regionalized endpoints. From a US based location, I do not receive a full Server + CA chain with my request, just the Server certificate and it functions as expected. I had @genesio-systemlogic provide the full cert chain he was receiving and looked at all certificates presented and the intermediate certificate is using a currently unsupported critical extension oid: 22.214.171.124 - Name Constraints.
It's working on Windows and macOS because the chain is being verified by the platform verifier, while on Linux we use our own. We do support critical name constraints, but this certificate also has a DN constraint, regrettably, which we don't support (#15196).
They're a huge headache, but if they're showing up in the WebPKI we might have to bite the bullet and support them.