SSL certificates are crucial for securing websites, protecting sensitive data such as login credentials, credit card information, and other personal details. However, while browsing certain websites or connecting to web servers, you may encounter the “SSL certificate problem: Unable to get local issuer certificate” error.
This error typically occurs when the SSL certificate chain is incomplete or the necessary intermediate certificates are missing from the server. In simple terms, your browser or server is unable to verify the trustworthiness of the SSL certificate because it can’t find the certificate authority (CA) that issued it in the local system’s certificate store.
In this guide, we will discuss what this error means, its causes, and how to resolve the “Unable to get local issuer certificate” error step by step.
What Does “Unable to Get Local Issuer Certificate” Mean?
When you visit a website secured by SSL, the web server sends its SSL certificate to the browser to verify its authenticity. The browser then checks the certificate against a list of trusted certificate authorities (CAs). The “Unable to get local issuer certificate” error occurs when the browser or server cannot find a trusted intermediate certificate to verify the chain of trust.
This issue can arise for several reasons, including missing intermediate certificates, misconfigured SSL setups, or problems in the server’s SSL certificate configuration.
Why Does the “Unable to Get Local Issuer Certificate” Error Occur?
Here are the most common causes of this error:
- Missing Intermediate Certificates: SSL certificates usually consist of a root certificate, intermediate certificates, and the server certificate. If the intermediate certificates are missing from the server configuration, the browser will be unable to validate the certificate chain.
- Outdated CA Certificates: Your local system may not have the required root or intermediate certificates, especially if it’s running an outdated version of the CA bundle.
- Misconfigured Server: The server might not have been set up properly to provide the complete certificate chain. This issue could be a result of an incomplete certificate installation.
- Self-Signed Certificates: Self-signed certificates do not have a valid root certificate and are not recognized by browsers, leading to errors.
- Incorrect Certificate Chain: Sometimes the server may send the server certificate first, followed by the intermediate certificates, when the correct order should be root, intermediate, and then the server certificate.
How to Fix “Unable to Get Local Issuer Certificate” Error
Here are the steps you can follow to resolve the SSL certificate problem: Unable to get local issuer certificate error:
Step 1: Verify the Certificate Chain
The first thing to check is whether the server is sending the correct certificate chain. An incomplete or misconfigured certificate chain is the most common cause of this error.
You can check the certificate chain using online SSL tools like SSL Labs’ SSL Test:
- Go to SSL Labs’ SSL Test.
- Enter the domain name and click Submit.
- Wait for the test to complete, and look at the Certificate Chain section. Ensure that the server certificate is followed by the correct intermediate certificates.
If the certificate chain is incomplete, this means your server is not sending the intermediate certificates, which is the likely cause of the error.
Step 2: Install Intermediate Certificates
If your server is missing intermediate certificates, you will need to install them. Intermediate certificates are crucial for linking the server certificate to the trusted root certificate.
- Download the Intermediate Certificates:
- You can usually download the intermediate certificates from your SSL certificate provider. Check the provider’s documentation or website for links to the necessary intermediate certificates.
- Install the Intermediate Certificates:
-
- Download the intermediate certificate files and place them in a directory on your server.
- Open the Apache configuration file (
ssl.conf
or your site’s virtual host file). - Add the
SSLCertificateChainFile
directive and point it to the intermediate certificate file:For Apache:
SSLCertificateFile /path/to/your/server-certificate.crt
SSLCertificateKeyFile /path/to/your/private-key.key
SSLCertificateChainFile /path/to/your/intermediate-certificate.crt
- Restart Apache:
sudo service apache2 restart
- For Nginx:
- Concatenate your server certificate and intermediate certificate into a single file. For example:
cat your_domain_name.crt intermediate.crt > fullchain.crt
- Update the Nginx configuration to use the combined certificate:
ssl_certificate /path/to/fullchain.crt;
ssl_certificate_key /path/to/private-key.key;
- Restart Nginx:
sudo service nginx restart
- Concatenate your server certificate and intermediate certificate into a single file. For example:
-
- Verify Installation: After installing the intermediate certificates, run the SSL Labs’ SSL Test again to ensure the certificate chain is complete.
Step 3: Update Root CA Certificates
If your server or local system is missing the required root certificate, you may encounter the “Unable to get local issuer certificate” error. To fix this, ensure that your root CA certificates are up to date.
On Linux (Ubuntu/Debian):
- Update the CA Certificates:
sudo apt-get update
sudo apt-get install --reinstall ca-certificates
- Restart your server:
sudo systemctl restart apache2
On macOS:
- Open Keychain Access and find the root CA certificates.
- Ensure that the root certificate for your SSL provider is installed and trusted.
On Windows:
- Download the required root certificate from your CA provider.
- Open Internet Explorer, go to Internet Options, then Content > Certificates > Trusted Root Certification Authorities.
- Import the root certificate into the appropriate store.
Step 4: Check for Server Misconfiguration
If the server is still not sending the correct certificate chain, you may need to check the server’s SSL configuration. Ensure that:
- The server is sending the correct order of certificates (server certificate first, followed by intermediate certificates).
- Your certificate files (server and intermediate) are properly configured in the server’s SSL settings.
Step 5: Clear Your Browser Cache
Sometimes, browsers store SSL certificate information, which might conflict with newer certificates. After updating the server’s SSL certificate chain, it’s essential to clear your browser cache.
- Open Chrome or Firefox.
- Go to Settings > Privacy > Clear browsing data.
- Select Cookies and other site data and Cached images and files, then click Clear Data.
Step 6: Check for Firewall or Proxy Issues
In some cases, a firewall or proxy might be interfering with the SSL handshake, causing this error. To ensure the firewall or proxy is not blocking the SSL certificates:
- Disable the firewall temporarily to check if the error persists.
- Ensure that the proxy server is configured correctly, and SSL interception is not happening.
Conclusion
The SSL certificate problem: Unable to get local issuer certificate error can usually be resolved by ensuring that your server sends the correct certificate chain, including the server and intermediate certificates. If that doesn’t fix the issue, updating root CA certificates, verifying server configuration, and clearing browser cache can help.
By following the steps outlined in this guide, you can ensure a properly configured SSL certificate that will prevent this error and allow users to access your website securely. If the issue persists, it may be a good idea to contact your SSL certificate provider for further assistance.