Error: SSL certificate problem: unable to get local issuer certificate

Good day, I’m setting up a speedtest server for ookla, when I do a test on the ookla page, it gives me the following error

Error: SSL certificate problem: unable to get local issuer certificate

could you help me.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):


My domain is

My web server
Is apache2 ubuntu 16.04

My hosting

Redes Hibridas S.A.

Version Cetbot

certbot 0.32.0

Hi @Edson

I don't find a problem (checked with ):

Your Letsencrypt - certificate is new
expires in 89 days - 1 entry

and your https version is ok.

Domainname Http-Status redirect Sec. G 200 0.373 H 200 6.970 B 404 0.353 A

Same with my browser - there is a standard Apache2 Ubuntu page.

Checked with SSLLabs, there is a Grade A, no incomplete chain:

Do you have a screenshot?


attached image of the error that I get when I test my server on


When consulting the ookla support they indicate the following, but I do not understand, since my certificate is fine.

The certificate is not signed by a trusted authority (checking against Mozilla’s root store). If you bought the certificate from a trusted authority, you probably just need to install one or more Intermediate certificates. Contact your certificate provider for assistance doing this for your server platform.


help please

I have no idea why there is an error message.

Ok, it’s port 8080, not 443.

But checking port 8080 ( ) there is the same picture: The valid Letsencrypt certificate with the correct intermediate certificate.

Ok, played with OpenSSL: Your port 443 sends the intermediate certificate:

Certificate chain
 0 s:CN =
   i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3

your port 8080 not:

Certificate chain
 0 s:CN =
   i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3

So check your port 443 config and copy the two or three lines with the certificate files to your port 8080 - configuration.

1 Like

@JuergenAuer thanks for information.

I comment, when entering by https to the domain by port 8080 gives it to me safely, I do not understand what it means to place the info of 3 lines from port 443 to port 8080

I also do not know what the local failure error means

I attached the image securely


Your port 443 / standard https has the correct configuration.

Your special port 8080 / not standard has the wrong configuration.

So find your vHost / port 443 and compare that with the vHost of your port 8080.

That was a good idea.

Now I’ve found a solution to check the “real certificate chain” of a connection. In combination with the port specific check:

speedtest … has now (in the connections) a new row:

|0|s:CN =|

My own domain has two rows:

|0|s:CN = *|
|1|s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3|

So it’s visible that the certificate chain is incomplete. And that works with non standard ports. Must add a new warning message :wink:


I already added everything equal to the vhost 8080 and still I get the same error when running the test in digicert.

I attach errors and settings.



I do not know what else I could do to solve this error

Could we see the Apache configuration? Is it possible that you used cert.pem instead of fullchain.pem somewhere?

Then share your vHost - port 443 - configuration. These are two or three lines you have to copy:

    SSLCertificateFile /usr/local/ssl/crt/public.crt
    SSLCertificateKeyFile /usr/local/ssl/private/private.key
    SSLCertificateChainFile /usr/local/ssl/crt/intermediate.crt

Then restart your Apache and recheck your port 8080. Your incomplete chain is now visible:

Chain - incomplete 0 s:CN =

@JuergenAuer @schoen

thanks for the info

I attached the images of my configuration in the Vhost 442 and Vhost 8080

tell me if it is properly configured

There are duplicated lines, remove these (ServerName, Include, SSLCertificateFile / keyfile).

And your 8080 doesn’t have a ServerName, perhaps it isn’t used.

I attach images with the updated configuration