Understanding and Resolving the "Unable to Get Local Issuer Certificate" Error

Category: Blog
If you've encountered the frustrating unable to get local issuer certificate error, you're not alone. This common SSL issue can arise when a client or server is unable to establish a secure connection due to a missing or untrusted certificate in the certificate chain. SSL (Secure Sockets Layer) certificates are used to encrypt data and authenticate the identity of the server, ensuring secure communication between clients and servers. However, if there are issues with the certificate chain — such as missing intermediate certificates or outdated root certificates — this error may occur, preventing secure connections. In this blog, we will dive deeper into what causes this error and how to resolve it effectively to ensure that your applications remain secure.

What is SSL and Why Does This Error Occur?


SSL Certificates and Certificate Chains


SSL certificates are issued by trusted Certificate Authorities (CAs) to validate the identity of the server and encrypt communication between clients (such as browsers or APIs) and the server. These certificates are typically organized in a chain format. The chain includes the server certificate, intermediate certificates, and the root certificate.

The root certificate is trusted by the client and is often pre-installed in the client’s certificate store. Intermediate certificates, however, are often necessary to form a complete chain of trust between the root certificate and the server certificate. If any of these intermediate certificates are missing or not configured properly on the server, the client may fail to verify the authenticity of the server’s SSL certificate, leading to the unable to get local issuer certificate error.

The Common Causes of the Error


The unable to get local issuer certificate error is typically triggered by one or more of the following reasons:

  1. Missing Intermediate Certificates: SSL certificates are often issued as part of a chain that includes both the server certificate and intermediate certificates. If the server does not send the full chain, the client may fail to verify the certificate because it doesn’t have the necessary intermediates.

  2. Outdated or Untrusted Root Certificates: If the client’s system lacks the required root certificates or has outdated ones, it may not recognize the server’s SSL certificate as trustworthy. This is especially common in systems that haven’t been updated in a while.

  3. Misconfigured SSL/TLS Setup: In some cases, the server may be misconfigured to not send the full certificate chain. This means that only the server certificate is provided, and intermediate certificates are omitted.

  4. Expired or Invalid Certificates: If the server’s certificate has expired or been revoked, or if it was incorrectly issued, the client may reject it, leading to the error.


How to Resolve the "Unable to Get Local Issuer Certificate" Error


The good news is that this error can usually be fixed with a few straightforward steps. Below, we outline some of the most effective solutions.

1. Update Your System’s Root Certificates


One of the first steps in resolving the unable to get local issuer certificate error is to make sure that your system has the latest list of trusted root certificates. Outdated root certificates can cause verification issues, leading to the error.

  • Windows: Run Windows Update to ensure your system is up to date. Windows updates often include updated root certificates. Alternatively, you can manually install the latest root certificates from Microsoft’s website.

  • macOS: On macOS, you can update the root certificates through "Keychain Access" or by running system updates to ensure the latest trusted root certificates are installed.

  • Linux: On Linux systems, you can use the following commands to update your trusted certificates:
    sudo apt-get install ca-certificates
    
sudo update-ca-certificates



By updating the root certificates, you can ensure that your system has the latest trusted certificate authorities to verify SSL certificates.

2. Install Missing Intermediate Certificates


If the error continues after updating your root certificates, it’s possible that the server is not sending the entire certificate chain. Intermediate certificates are essential for creating a complete chain of trust between the server’s certificate and the root certificate.

  • Apache: On Apache servers, concatenate the server certificate and intermediate certificates into a single file:
    cat intermediate-cert.pem >> server-cert.pem



This ensures that the server sends the full certificate chain when clients connect.

  • Nginx: In Nginx, you can configure the full certificate chain using the ssl_certificate directive:
    ssl_certificate /path/to/fullchain.pem;



Make sure to restart the server after adding the intermediate certificates.

3. Configure SSL/TLS Correctly on Your Server


Ensure that your server is configured to send the entire certificate chain, including the intermediate certificates, to the client. Many clients (browsers, APIs, etc.) will reject the connection if they cannot validate the certificate chain.

You can use SSL Labs' SSL Test to check your server’s SSL configuration. This tool provides a detailed report on your server’s SSL/TLS setup, including whether it’s sending the complete certificate chain. If it isn’t, adjust your server’s SSL configuration to include the full chain of certificates.

4. Check SSL Certificate Installation


Sometimes, improper installation of SSL certificates can cause this issue. To verify that your SSL certificate is installed correctly, you can use OpenSSL:
openssl s_client -connect yourdomain.com:443

This command will show you the SSL certificate and its chain. If the certificate is incomplete or incorrect, you’ll need to fix the installation.

5. Reinstall or Renew Your SSL Certificate


If the above steps don’t resolve the issue, it may be necessary to renew or reinstall your SSL certificate. It’s possible that the certificate has expired, is not properly issued, or is otherwise invalid. Contact your certificate authority (CA) to request a new or renewed certificate and install it correctly on your server.

Additional Solutions for Specific Platforms


If you're using tools like Keploy for API testing, there may be platform-specific solutions for resolving SSL issues. Keploy offers powerful tools for API testing and can automatically detect and resolve SSL-related problems during the testing phase. By leveraging Keploy's AI-powered testing, you can ensure that your API tests run securely, with full SSL certificate verification.

For example, Keploy can automatically identify missing intermediate certificates and help you fix SSL/TLS issues as part of your automated testing process. This reduces the manual effort required to troubleshoot SSL errors and helps you focus on improving the overall functionality of your applications.

You can learn more about how Keploy can simplify SSL certificate management during API testing in our detailed guide: Keploy Blog on SSL Issues.

Conclusion


The unable to get local issuer certificate error can be a showstopper when it comes to establishing secure connections between clients and servers. However, by following the steps outlined in this blog — updating root certificates, installing missing intermediates, configuring your server’s SSL settings correctly, and verifying your certificate installation — you can resolve the issue efficiently. Additionally, tools like Keploy can simplify SSL troubleshooting by automating the detection and resolution of certificate issues during the testing phase, ensuring that your applications remain secure.

For further assistance and detailed solutions, check out the full guide on this topic in the Keploy blog.
123456789101112131415

Leave a Reply

Your email address will not be published. Required fields are marked *