Problem with "unable to get local issuer certificate"


#1

Hi,
I need to setup a simple https server with Letsencrypt certificates, but it always fails when I make a simple CURL validation.

This CURL validation cannot be bypassed (-k or other) since my customer will call this https server, and they require to comply with several rules including curl https validation.

I setup my simple https server with following steps:

  • went to sslforfree and generated my ssl certificates, with manual option
  • downloaded successfully the 3 certificate files com sslforfree (private.key + certificate.crt + ca_bundle.crt)
  • created a simple node.js listener app on 443 port, that uses all 3 files (code below)

Now, if I test my node.js in chrome browser it returns a valid secure site, with correct html output. However, if I run the following simple curl command if always returns “curl: (60) SSL certificate problem: unable to get local issuer certificate” error:
curl https://www.manueldias29.club

What is missing in my configuration? Are Letsencrypt CA authority not recognized by curl?
Based on other forum post, it seems some pem certificate files maybe missing…
If so, how can I generate them and how do I process them in my https listener?

Thanks!
mdias

My domain is: www.manueldias20.club
I ran this command: curl https://www.manueldias29.club
It produced this output: (60) SSL certificate problem: unable to get local issuer certificate
The operating system my web server runs on is (include version): Windows 10
My web server is (include version): simple node.js https listener
// node.js simple example used
var https = require(‘https’); var fs = require(‘fs’);
var options = {
key: fs.readFileSync(‘private.key’),
cert: fs.readFileSync(‘certificate.crt’),
ca: fs.readFileSync(‘ca_bundle.crt’)
};

   https.createServer(options, function (req, res) {
        res.writeHead(200, { 'Content-Type': 'text/html' });
        res.write('Hello World!');
        res.end();
   }).listen(443);

#2

On windows, curl does not trust any certificates by default, have a look here…


#3

Hi,
I tested curl from a SUSE environment and it worked with no SSL errors…
So, just to confirm: this curl SSL error problem only occurs if executed from Windows OS, right?
Thanks
mdias


#4

As far as I understand: Yes, this seems to be specific to Windows environments.
The named solution solved the issue on different Windows environments (I personally know of at least five instances)


#5

could you solve the issue? can you confirm the solution worked for you?
thanks…
Rüdiger


#6

The OP is/was misusing the Node.js API.

The ca key in the options property is not for sending the CA bundle. There are some articles on the internet that seem to think otherwise, but they’re mistaken.

The proper way to do this is to append the CA bundle to the end of your certificate:

$ cat certificate.crt ca_bundle.crt > combined.pem

and provide that as the cert to Node’s API.

Do not use the ca option, it doesn’t do what you think it does.

This may depend where you got your curl distribution on Windows, but it generally isn’t true. (Example: try curl https://google.com).


#7

actually “error 60 - unable to get local issuer certificate” means that the ca root certificate for the ssl connection to the requested domain is not known to CURL.

So if you come across this error on a windows system, the solution is indeed as described:

This happens (on windows systems) because PHP CURL on Windows does not install “with a bundle of root certificates”, and the path to any root certificate bundle in PHP.INI is “commented out”.

If you successfully can try “curl https://google.com” , then you dont need this fixing (probably because somebody already fixed it).

see also:


#8

Yes. The problem was the CA used on our certificates.
When we generated them with LE CA, our app worked fine.
Thanks!


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.