Unable to get local issuer certificate


Im using tomcat at my backend and I got four files after using letsencrypt:

sudo ./letsencrypt-auto certonly

I got:
cert.pem, chain.pem, fullchain.pem, privkey.pem.

Then in order to create keystore for tomcat I used following commands:

openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out cert_and_key.p12 -name tomcat -CAfile chain.pem -caname root

And after that:

keytool -importkeystore -deststorepass password destkeypass password destkeystore MyDSKeyStore.jks -srckeystore cert_and_key.p12 -srcstoretype PKCS12 -srcstorepass password -alias tomcat

I’ve put the MyDSKKeyStore.jks into tomcat .keystore file. And application loading ok, but the problem appears when Im trying to do the

openssl s_client -connect host:port

giving me:

depth=0 CN = bla.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = bla.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = bla.com
verify error:num=21:unable to verify the first certificate
verify return:1

Certificate chain
0 s:/CN=bla.com
i:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3

The problem also happens when facebook webhook is trying to send get request to my app giving the error:

The request sent to your callback URL failed with the following error:
Callback verification failed with the following errors: curl_errno = 60; curl_error = SSL certificate problem: unable to get local issuer certificate; HTTP Status Code = 200; HTTP Message = Connection established

So how do I resolve the problem?


You need to somehow get the Tomcat to send over the intermediate certificates. These are the “missing links” between your certificate and a trusted root.

The chain.pem contains any extra intermediate certificates, fullchain.pem contains your certificate PLUS those extra intermediates. I don’t have a copy of keytool in front of me, but I would guess that you can repeat your steps and substitute fullchain.pem for cert.pem in your initial “openssl pkcs12” command something like:

openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out cert_and_key.p12 -name tomcat


Thank you! It worked!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.