How fix: unable to get local issuer certificate

I ran this command:

openssl verify cert.pem

It produced this output:

error 20 at 0 depth lookup: unable to get local issuer certificate
error cert.pem: verification failed

My web server is: nginx/1.12.1

The operating system my web server runs on is (include version): Ubuntu 17.10

I can login to a root shell on my machine: yes

I'm using a control panel to manage my site: no

Help me, please


Usually we use the fullchain.pem instead of cert.pem to verify the cert.

Thank you

1 Like

I might suggest

openssl verify chain.pem
openssl verify -CAfile chain.pem cert.pem

chain.pem: OK
cert.pem: OK

I can not use a CURL in PHP.

Fatal error: Curl failed with error #60: SSL certificate problem: unable to get local issuer certificate

Interesting! Could you tell us an example URL that you’re trying to access that gives this error?

Do you get a similar error if you try to access the URL on the command line with curl -v?

I can not send my request to my site, but it turned out to google

  • Rebuilt URL to:
  • Trying
  • Connected to (85) port 443 (#0)
  • ALPN, offering http/1.1
  • Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt
    CApath: /etc/ssl/certs
  • TLSv1.2 (OUT), TLS header, Certificate Status (22):
  • TLSv1.2 (OUT), TLS handshake, Client hello (1):
  • TLSv1.2 (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS handshake, Certificate (11):
  • TLSv1.2 (OUT), TLS alert, Server hello (2):
  • SSL certificate problem: unable to get local issuer certificate
  • Closing connection 0
    curl: (60) SSL certificate problem: unable to get local issuer certificate
    More details here: curl - SSL CA Certificates

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
HTTPS-proxy has similar options --proxy-cacert and --proxy-insecure.

Do you have a complete, working root certificate bundle in /etc/ssl/certs?

Could you also try connecting with openssl s_client -connect -servername This will output the certificates themselves when connecting, so you can see whether they’re the expected ones.

When I connected to your site with curl, I didn’t have any problems!

1 Like

Posted by
openssl s_client -connect -servername
I got a lot of information…

It’s very strange that I can spar my site from another ip, but I can not do it from my own

The certificates should be at the top. Before the certificate PEM data, you should see

Certificate chain
 0 s:/
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

Certificate chain
0 s:/C=US/ST=State/L=Locality/O=pfSense webConfigurator Self-Signed Certificate/emailAddress=admin@pfSense.localdomain/CN=pfSense-5a84df801e163
i:/C=US/ST=State/L=Locality/O=pfSense webConfigurator Self-Signed Certificate/emailAddress=admin@pfSense.localdomain/CN=pfSense-5a84df801e163

Well, that’s definitely the source of the problem! Any idea why you’re connecting to a pfSense firewall here rather than directly to the server?

The pfSense firewall here is proxying your connection to the server and not allowing a direct TLS session to be established.

1 Like

Thanks! And what do you recommend to do?

Figure out who runs the firewall and why connections from that machine are being routed through it. (If it’s running on that machine, then it might be something about the machine’s own network configuration.)

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.