Problem with "unable to get local issuer certificate"

Help
1

Hi,
I need to setup a simple https server with Letsencrypt certificates, but it always fails when I make a simple CURL validation.

This CURL validation cannot be bypassed (-k or other) since my customer will call this https server, and they require to comply with several rules including curl https validation.

I setup my simple https server with following steps:

  • went to sslforfree and generated my ssl certificates, with manual option
  • downloaded successfully the 3 certificate files com sslforfree (private.key + certificate.crt + ca_bundle.crt)
  • created a simple node.js listener app on 443 port, that uses all 3 files (code below)

Now, if I test my node.js in chrome browser it returns a valid secure site, with correct html output. However, if I run the following simple curl command if always returns ā€œcurl: (60) SSL certificate problem: unable to get local issuer certificateā€ error:
curl https://www.manueldias29.club

What is missing in my configuration? Are Letsencrypt CA authority not recognized by curl?
Based on other forum post, it seems some pem certificate files maybe missingā€¦
If so, how can I generate them and how do I process them in my https listener?

Thanks!
mdias

My domain is: www.manueldias20.club
I ran this command: curl https://www.manueldias29.club
It produced this output: (60) SSL certificate problem: unable to get local issuer certificate
The operating system my web server runs on is (include version): Windows 10
My web server is (include version): simple node.js https listener
// node.js simple example used
var https = require(ā€˜httpsā€™); var fs = require(ā€˜fsā€™);
var options = {
key: fs.readFileSync(ā€˜private.keyā€™),
cert: fs.readFileSync(ā€˜certificate.crtā€™),
ca: fs.readFileSync(ā€˜ca_bundle.crtā€™)
};

   https.createServer(options, function (req, res) {
        res.writeHead(200, { 'Content-Type': 'text/html' });
        res.write('Hello World!');
        res.end();
   }).listen(443);
2

On windows, curl does not trust any certificates by default, have a look here...

3

Hi,
I tested curl from a SUSE environment and it worked with no SSL errorsā€¦
So, just to confirm: this curl SSL error problem only occurs if executed from Windows OS, right?
Thanks
mdias

4

As far as I understand: Yes, this seems to be specific to Windows environments.
The named solution solved the issue on different Windows environments (I personally know of at least five instances)

5

could you solve the issue? can you confirm the solution worked for you?
thanksā€¦
RĆ¼diger

6

The OP is/was misusing the Node.js API.

The ca key in the options property is not for sending the CA bundle. There are some articles on the internet that seem to think otherwise, but they're mistaken.

The proper way to do this is to append the CA bundle to the end of your certificate:

$ cat certificate.crt ca_bundle.crt > combined.pem

and provide that as the cert to Node's API.

Do not use the ca option, it doesn't do what you think it does.

This may depend where you got your curl distribution on Windows, but it generally isn't true. (Example: try curl https://google.com).

7

actually ā€œerror 60 - unable to get local issuer certificateā€ means that the ca root certificate for the ssl connection to the requested domain is not known to CURL.

So if you come across this error on a windows system, the solution is indeed as described:

This happens (on windows systems) because PHP CURL on Windows does not install ā€œwith a bundle of root certificatesā€, and the path to any root certificate bundle in PHP.INI is ā€œcommented outā€.

If you successfully can try ā€œcurl https://google.comā€ , then you dont need this fixing (probably because somebody already fixed it).

see also:

8

Yes. The problem was the CA used on our certificates.
When we generated them with LE CA, our app worked fine.
Thanks!