Unable to get local issuer certificate and unable to verify the first certificate

lwin · April 16, 2025, 8:21am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: temploggerlwin.site

I ran this command: openssl s_client -connect temploggerlwin.site:443 -servername temploggerlwin.site

It produced this output:
CONNECTED(00000003)
depth=0 CN = temploggerlwin.site
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = temploggerlwin.site
verify error:num=21:unable to verify the first certificate
verify return:1

My web server is (include version): I am using nginx

        listen 443 ssl http2 default_server; # managed by Certbot
        listen [::]:443 ssl ipv6only=on; # managed by Certbot
        ssl_certificate /etc/letsencrypt/live/temploggerlwin.site/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/temploggerlwin.site/privkey.pem; # managed by Certbot
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

The operating system my web server runs on is (include version):
Distributor ID: Ubuntu
Description: Ubuntu 24.10
Release: 24.10
Codename: oracular

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 4.0.0

orangepizza · April 16, 2025, 8:29am

I have no problem connecting it from ubuntu 24.04: (although wsl)
cloud you reinstall ca-certificates package from client?

lwin · April 16, 2025, 8:34am

Hi @orangepizza , After reinstall , still having the issue.

lwin · April 16, 2025, 8:39am

If I call from the browser, it shows like this.

orangepizza · April 16, 2025, 9:06am

can we see what certificate client gets when it connect to server?

webprofusion · April 16, 2025, 9:15am

Check that www.temploggerlwin.site resolves to the server you think it does. It's working fine externally but may be failing or you on your own network (e.g. it could be resolving to a different host)

lwin · April 16, 2025, 9:23am

@orangepizza , Yes, Please.
CONNECTED(00000003).txt (6.8 KB)

orangepizza · April 16, 2025, 9:25am

i:C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = FGT61ETK18026947, emailAddress = support@fortinet.com
-----BEGIN CERTIFICATE-----

you have a fortinet intercepting TLS connection

lwin · April 16, 2025, 9:27am

@webprofusion , Oh ya, It's working fine with another network. So my network is blocking because of invalid cert?

webprofusion · April 16, 2025, 9:29am

Yes, speak to your company networking team.

lwin · April 16, 2025, 9:35am

@webprofusion @orangepizza Thank you so much for the help. Since you point out fortigate, I found this thread => Certificate not trusted by Fortigate and I also found this to validate by fortigate whether my site is valid or not.

system · May 16, 2025, 9:35am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Unable to verify the first certificate Help	5	14752	January 17, 2021
Unable to get local issuer certificate Help	15	12309	September 30, 2019
Issues with certificate issuing Help	2	79	April 1, 2025
Certificate verify failed: unable to get local issuer certificate (_ssl.c:1108) Help	12	26577	March 15, 2020
Certificate errors EVERYWHERE! Help	17	1562	May 1, 2023

Unable to get local issuer certificate and unable to verify the first certificate

Related topics