How to Resolve the “Unable to Get Local Issuer Certificate” SSL Error

SSL certificates are essential for securing data exchanges over the internet. However, encountering SSL errors, like the “Unable to Get Local Issuer Certificate” message, can be frustrating. This error occurs when a system cannot verify the SSL certificate chain due to missing intermediate certificates or issues with the certificate store. In this blog, we’ll walk you through the causes of this error and provide solutions to resolve it efficiently.

What is the “Unable to Get Local Issuer Certificate” Error?

When a web browser or application attempts to establish a secure connection via HTTPS, it checks the server’s SSL certificate. The “Unable to Get Local Issuer Certificate” error appears when your system cannot find the issuer’s certificate in the trusted certificate store. Essentially, the certificate chain is incomplete, and as a result, your system does not trust the server’s SSL certificate.

Common Causes of the Error

There are several reasons why you may encounter the “Unable to Get Local Issuer Certificate” error:

1. Missing Intermediate Certificates: The server’s certificate chain might not include the intermediate certificates required to link the server’s SSL certificate to a trusted root certificate.

2. Outdated Certificate Store: The certificate store on your system may be outdated, lacking the necessary certificates to validate the server’s SSL certificate.

3. Server Configuration Issues: The server may not be configured to send the full certificate chain, including intermediate certificates.

4. Network Problems: Firewalls, proxies, or network configurations could prevent the required certificates from being retrieved.

How to Fix the “Unable to Get Local Issuer Certificate” Error

1. Update Your Trusted Certificate Store

To fix this error, the first step is to ensure that your system’s trusted certificate store is up-to-date. This ensures that your system has the latest root and intermediate certificates required to verify SSL certificates.

On Windows:

• Go to Settings > Update & Security.

• Click Check for updates and install any available updates.

On macOS:

• Open System Preferences and click Software Update.

• Click Update Now to install any available updates.

On Linux:

• Open the terminal and run the following commands:

  sql

  复制编辑

  sudo apt update
sudo apt upgrade


2. Manually Install Missing Intermediate Certificates

If the server’s SSL certificate chain is incomplete, you can manually install the missing intermediate certificates. Here’s how to do it:

On Windows:

• Download the intermediate certificate from the Certificate Authority (CA) website.

• Double-click the downloaded certificate file and click Install Certificate.

• Select Place all certificates in the following store and choose Trusted Root Certification Authorities.

On macOS:

• Download the intermediate certificate.

• Double-click the file to open it in Keychain Access.

• Drag the certificate to the System keychain and set it to Always Trust under the trust settings.

On Linux:

• Download the intermediate certificate.

• Copy it to the directory: /usr/local/share/ca-certificates/.

• Run the following command to update your certificate store:

  sql

  复制编辑

  sudo update-ca-certificates


3. Verify and Configure the Server

If you’re managing the server, you’ll want to ensure that the server is configured correctly to send the complete certificate chain.

For Apache:

• Open the SSL configuration file (ssl.conf or httpd.conf).

• Ensure that the SSLCertificateChainFile directive points to the intermediate certificate file:

  pgsql

  复制编辑

  SSLCertificateFile /path/to/your_domain_name.crt
SSLCertificateKeyFile /path/to/your_private.key
SSLCertificateChainFile /path/to/CA_bundle.crt


• Restart the Apache server with:

  nginx

  复制编辑

  sudo systemctl restart apache2


For Nginx:

• Open the SSL configuration file (nginx.conf or specific site configuration).

• Make sure the ssl_certificate directive includes the intermediate certificates:

  pgsql

  复制编辑

  ssl_certificate /path/to/your_domain_name.crt;
ssl_certificate_key /path/to/your_private.key;
ssl_trusted_certificate /path/to/CA_bundle.crt;


• Restart the Nginx server with:

  nginx

  复制编辑

  sudo systemctl restart nginx


4. Bypass SSL Verification (Temporary Fix)

If you need a quick workaround, you can bypass SSL verification. However, this is not recommended for production environments due to security risks.

• For cURL:
  Use the -k or --insecure option:

  nginx

  复制编辑

  curl -k https://your-domain.com


• For Python Requests:
  Set the verify parameter to False:

  python

  复制编辑

  import requests
response = requests.get('https://your-domain.com', verify=False)


5. Check Network Configuration

Ensure that your network setup, including proxy settings and firewalls, is not blocking the retrieval of certificates. You may need to adjust firewall rules or configure your proxy to allow SSL certificate retrieval.

Conclusion

The “Unable to Get Local Issuer Certificate” error is usually caused by missing intermediate certificates, outdated certificate stores, or server configuration issues. By following the steps outlined in this blog, you can resolve this error and ensure secure, trusted connections to your website.

While bypassing SSL verification can be a temporary solution, it’s essential to resolve the underlying issue for long-term security. By updating your certificate store, manually installing missing certificates, and configuring your server correctly, you can ensure a seamless and secure experience for your users.