Unable to get local issuer certificate

porrier · August 31, 2019, 4:00pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: bitcorner.de

I ran this command: openssl s_client -connect bitcorner.de:443 -showcerts

It produced this output:

CONNECTED(00000003)
depth=1 C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate

My web server is (include version):

Server version: Apache/2.4.10 (Linux/SUSE)
Server built: 2016-07-18 16:42:09.000000000 +0000
Server’s Module Magic Number: 20120211:36
Server loaded: APR 1.5.1, APR-UTIL 1.5.3
Compiled using: APR 1.5.1, APR-UTIL 1.5.3
Architecture: 64-bit
Server MPM: prefork
threaded: no
forked: yes (variable process count)

The operating system my web server runs on is (include version):

openSUSE and CentOS 7

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.37.2

How can I fix this?

Kind regards

Andreas

rg305 · August 31, 2019, 4:02pm

Name: bitcorner.de
Addresses: 2a03:4000:6:4123::1
37.120.166.21

IPv4 seems to be working.

JuergenAuer · August 31, 2019, 4:03pm

Hi @porrier

that's

the "always seen OpenSsl error message" if you don't use client certificates.

Completely normal. Check community.letsencrypt.org - you will see the same.

PS: Your website works with the new certificate ( https://check-your-website.server-daten.de/?q=bitcorner.de ):

CN=bitcorner.de
	28.08.2019
	26.11.2019
expires in 87 days	
bitcorner.de, chat.bitcorner.de, conference.bitcorner.de, 
ld.bitcorner.de, linedancer.bitcorner.de, listen.bitcorner.de, 
mail.bitcorner.de, meeting.bitcorner.de, proxy.bitcorner.de, 
upload.bitcorner.de, www.bitcorner.de - 
11 entries

porrier · August 31, 2019, 4:14pm

Thank you for testing this!

porrier · August 31, 2019, 4:20pm

If I test with links I get “Invalid certificate”. Something must be wrong. This is when I test from my workstation at home.
If I test it directly on the server with links, it connects without problem.

Is this a problem with my local cert store?

porrier · August 31, 2019, 4:30pm

openssl s_client -connect bitcorner.de:443 -showcerts issued works on server, on the workstation I get that error.

rg305 · August 31, 2019, 5:11pm

Test using the IPv4 address and then the IPv6 address:

openssl s_client -connect 212.27.42.2:443 -showcerts
openssl s_client -connect [2a01:e0c:1:1599::11]:443 -showcerts

porrier · August 31, 2019, 5:17pm

makes no difference. Verify return code: 20 (unable to get local issuer certificate)

Is this a problem with my OpenSSL 1.1.1 11 Sep 2018 (Library: OpenSSL 1.1.1b 26 Feb 2019) ?

JuergenAuer · August 31, 2019, 5:36pm

As written: You see always this message. That's not a problem.

openssl s_client -connect community.letsencrypt.org:443 -showcerts

There is the same message.

porrier · August 31, 2019, 5:43pm

I have a problem with gajim chat-client. It refuses to upload an image with certificat_verify_failed. The autor of that client says it’s probably a problem with the local cert store. I already did a update-ca-certificates. 0 added, 0 removed; done. I don’t remember I had this problem before. I am using LinuxMint.

JuergenAuer · August 31, 2019, 5:54pm

There is a new Ssllabs check of your domain

https://www.ssllabs.com/ssltest/analyze.html?d=bitcorner.de

Grade A+ - I don't think this is an error.

Then that autor should be able to create a log with a detailed error message.

Or that tool uses some older settings.

schoen · August 31, 2019, 7:39pm

@JuergenAuer, I think you've misremembered this. I just did the test you suggested and I didn't see that message. Instead, I saw No client certificate CA names sent.

I believe unable to get local issuer certificate is a problem of a self-signed certificate or an incomplete chain (using cert.pem instead of fullchain.pem, for example). In a tiny number of cases, it could also be due to falling back to a default server certificate when neglecting to send SNI with the OpenSSL -servername option.

JuergenAuer · August 31, 2019, 8:03pm

Yep, sorry - client != local issuer.

I have always that "local issuer" error message

G:\OpenSSL-Win64\bin>openssl s_client -connect community.letsencrypt.org:443 -showcerts
CONNECTED(00000158)
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
 0 s:CN = community.letsencrypt.org
   i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3

But that's more an installation problem, I don't add the required flags / folders and ignore that error.

porrier · August 31, 2019, 9:37pm

I tried both in the httpd.conf

SSLCertificateFile /etc/letsencrypt/live/bitcorner.de/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/bitcorner.de/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/bitcorner.de/chain.pem

and
SSLCertificateFile /etc/letsencrypt/live/bitcorner.de/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/bitcorner.de/privkey.pem

The author of gajim says that’s because I don’t have the letsencrypt root cert installed on my local machine. How can I check this?

JuergenAuer · August 31, 2019, 10:32pm

The chain of your webserver is correct, that’s already checked.

There you don’t send the root certificate, that’s correct. Only two certificates - yours and the Letsencrypt intermediate certificate.

system · September 30, 2019, 10:32pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.