Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
I ran this command:
(command from a PCI validation vendor and their scanning tool against my customer's FortiGate Firewall. )
It produced this output:
Error reported is "unable to get local issuer certificate"
Full error is "Certificate #0CN=vpn.newpathmhs.com ISSUER:_CN=R3,O=Let's_Encrypt,C=US unable to get local issuer certificate"
My web server is (include version):
Not for a web server. This certificate was installed for VPN (port 4433/tcp) and remote management (port 4443/tcp)
The operating system my web server runs on is (include version):
NA
My hosting provider, if applicable, is:
NA
I can login to a root shell on my machine (yes or no, or I don't know):
Using Certify the Web as my client on Windows 11.
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
Client is Certify the Web, version of Certify Certificate Manager is 6.0.18.0
What does this error usually mean? What am I missing?
1- The Server is not configured with a correct Certificate Chain
2- The Client does not have the Root Certificate in their Trust Store
For the first part, when you get a Certificate there are 3 main components:
The Certificate for your domain. AKA "leaf" or "end entity" certificate.
A "Chain" of Certificates that link your Certificate up to a "Trusted Root" that is expected to be in the client computer's trust store.
The secret PrivateKey only you know about.
Your Certificate covers vpn.newpathmhs.com and was signed by the "R3" Certificate from LetsEncrypt. You need to make sure your server is configured to serve the R3 as a chain. (see Chains of Trust - Let's Encrypt )
Another possible issue, is the PCI validation vendor does not have the current root in their trust store.
By default, R3 chains up to "ISRG Root X1" which is in most operating systems shipped after 2016. (See Certificate Compatibility - Let's Encrypt). There is limited support - which will end within 3 months - to chain up from X1 to a cross-signed DST root that is in more operating systems.
The error is most likely due to not configuring the system with the correct chain (or any chain).
It's impossible to give you an accurate answer though, because:
1- We don't know what software your vendor is using. The error generated by one system has no relation to errors generated by others.
2- This is a VPN system, so we don't have access to it.