SSL (Secure Sockets Layer) certificates help in encrypting data and ensuring secure communication over the internet. However, encountering errors related to SSL certificates can be frustrating, especially the “unable to get local issuer certificate” error. This blog will explain this error, its causes, and various methods to fix it easily.
Table of Contents
What is the “Unable to Get Local Issuer Certificate” Error?
When you connect to a server over HTTPS, your computer verifies the server’s SSL certificate to ensure it is trustworthy. The “unable to get local issuer certificate” error occurs when your computer cannot verify the server’s certificate because it cannot find the issuer’s certificate in the trusted certificate store. This means that the certificate chain is broken, and your computer doesn’t trust the connection.
Common Causes of This “Unable to Get Local Issuer Certificate” Error
- Missing Intermediate Certificates: The server’s certificate chain might be incomplete, missing the intermediate certificates that link the server’s certificate to a trusted root certificate.
- Outdated Trusted Certificate Store: Your computer’s trusted certificate store may be outdated, missing the necessary certificates to verify the server’s certificate.
- Server Configuration Issues: The server may not be configured correctly to send the complete certificate chain.
- Network Issues: Network configurations or firewalls might block the retrieval of the necessary certificates.
How to Fix the “Unable to Get Local Issuer Certificate” Error
1. Update Your Trusted Certificate Store
Ensure that your computer’s trusted certificate store is up-to-date. On Windows, this is typically updated through Windows Update. For macOS and Linux, ensure your system and package manager are up-to-date.
On Windows:
- Open Settings and go to Update & Security.
- Click on Check for updates and install any available updates.
On macOS:
- Open System Preferences and go to Software Update.
- Click on Update Now and install any available updates.
On Linux:
- Open the terminal.
- Update your package manager with the following commands:
sudo apt update
sudo apt upgrade
2. Manually Install Missing Intermediate Certificates
If the server’s certificate chain is incomplete, you can manually install the missing intermediate certificates.
- Visit the website of the Certificate Authority (CA) that issued the SSL certificate.
- Download the necessary intermediate certificates.
- Install the intermediate certificates in your trusted certificate store.
On Windows:
- Double-click the downloaded intermediate certificate file.
- Click on Install Certificate.
- Follow the prompts to install the certificate in the Trusted Root Certification Authorities store.
On macOS:
- Double-click the downloaded intermediate certificate file.
- In the Keychain Access app, drag the certificate to the System keychain.
- Right-click the certificate and select Get Info. Under Trust, set When using this certificate to Always Trust.
On Linux:
- Copy the downloaded intermediate certificate file to the /usr/local/share/ca-certificates/ directory.
- Run the following command to update the certificate store:
sudo update-ca-certificates
3. Verify and Configure the Server
Ensure that the server is correctly configured to send the complete certificate chain. If you manage the server, check the server configuration files to include the intermediate certificates. If you don’t manage the server, contact the server administrator to fix the configuration.
For Apache Server:
- Open the SSL configuration file (e.g., ssl.conf or httpd.conf).
- Ensure the SSLCertificateChainFile directive points to the correct intermediate certificate file:
SSLCertificateFile /path/to/your_domain_name.crt
SSLCertificateKeyFile /path/to/your_private.key
SSLCertificateChainFile /path/to/CA_bundle.crt
Restart the Apache server:
sudo systemctl restart apache2
For Nginx Server:
- Open the SSL configuration file (e.g., nginx.conf or a specific site configuration file).
- Ensure the ssl_certificate directive includes the intermediate certificates:
ssl_certificate /path/to/your_domain_name.crt;
ssl_certificate_key /path/to/your_private.key;
ssl_trusted_certificate /path/to/CA_bundle.crt;
Restart the Nginx server:
sudo systemctl restart nginx
4. Bypass SSL Verification (Temporary Solution)
As a temporary workaround, you can bypass SSL verification. However, this is not recommended for production environments as it compromises security.
For cURL:
Use the -k or –insecure option:
curl -k https://your-domain.com
For Python Requests:
Set verify to False in your request:
import requests
response = requests.get('https://your-domain.com', verify=False)
5. Check Network Configuration
Ensure that your network configuration or firewall is not blocking the retrieval of certificates. This includes checking proxy settings, firewall rules, and any security software that might interfere with SSL connections.
Conclusion
The “unable to get local issuer certificate” error can be resolved by updating your trusted certificate store, manually installing missing intermediate certificates, verifying and configuring the server, or checking network configurations. While bypassing SSL verification can be a temporary fix, it is not recommended for long-term use due to security risks.
By following these steps, you can ensure secure and trusted SSL connections, maintaining the integrity and security of your online communications.
FAQs
Q1. What causes the “unable to get local issuer certificate” error?
The “unable to get local issuer certificate” error occurs when your computer cannot verify the server’s SSL certificate because it cannot find the issuer’s certificate in the trusted certificate store. This issue is often caused by missing intermediate certificates, an outdated trusted certificate store, server configuration problems, or network issues that block certificate retrieval. Ensuring that the certificate chain is complete and that your system’s trusted certificate store is up-to-date can help resolve this error.
Q2. How can I update my trusted certificate store?
Updating your trusted certificate store ensures that your system recognizes the latest certificates from trusted authorities. On Windows, you can do this through Windows Update by going to Settings, selecting Update & Security, and clicking on Check for updates. For macOS, open System Preferences, go to Software Update, and click on Update Now. On Linux, use the terminal to run commands like sudo apt update and sudo apt upgrade to update your package manager and certificate store.
Q3. How do I manually install missing intermediate certificates?
To manually install missing intermediate certificates, first, download the necessary certificates from the Certificate Authority’s (CA) website. On Windows, double-click the downloaded file and follow the prompts to install it in the Trusted Root Certification Authorities store. On macOS, drag the certificate to the System keychain in the Keychain Access app and set it to Always Trust. For Linux, copy the certificate file to the /usr/local/share/ca-certificates/ directory and update the certificate store with the sudo update-ca-certificates command.
Q4. How can I verify and configure the server to send the complete certificate chain?
Verifying and configuring the server to send the complete certificate chain involves checking the server’s SSL configuration files. For an Apache server, ensure the SSLCertificateChainFile directive points to the correct intermediate certificate file and restart the server. For an Nginx server, include the intermediate certificates in the ssl_certificate directive and restart the server. Properly configuring the server ensures that the entire certificate chain is sent to clients, preventing SSL errors.
Q5. Is it safe to bypass SSL verification as a temporary solution?
Bypassing SSL verification can temporarily resolve the “unable to get local issuer certificate” error, but it is not recommended for production environments. This practice compromises the security of the connection, making it vulnerable to man-in-the-middle attacks. If you must bypass SSL verification temporarily, use the -k or –insecure option in cURL or set verify to False in Python requests. However, focus on resolving the underlying issue for a secure, long-term solution.
Q6. What should I check in my network configuration to resolve this error?
To resolve this error, ensure that your network configuration or firewall is not blocking the retrieval of necessary certificates. Check your proxy settings, firewall rules, and any security software that might interfere with SSL connections. Ensuring that your network allows the necessary traffic can help prevent SSL certificate errors and maintain a secure connection.
Q7. Why is it important to resolve the “unable to get local issuer certificate” error?
Resolving the “unable to get local issuer certificate” error is crucial for maintaining secure and trusted SSL connections. SSL certificates are essential for encrypting data and ensuring secure communication over the internet. By addressing this error, you ensure that your connections are verified and trustworthy, protecting sensitive information from potential security threats and maintaining the integrity of your online communications.