"unable to get local issuer certificate"

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
vpn.newpathmhs.com

I ran this command:
(command from a PCI validation vendor and their scanning tool against my customer's FortiGate Firewall. )
It produced this output:
Error reported is "unable to get local issuer certificate"
Full error is "Certificate #0 CN=vpn.newpathmhs.com ISSUER:_CN=R3,O=Let's_Encrypt,C=US unable to get local issuer certificate"

My web server is (include version):
Not for a web server. This certificate was installed for VPN (port 4433/tcp) and remote management (port 4443/tcp)

The operating system my web server runs on is (include version):
NA

My hosting provider, if applicable, is:
NA

I can login to a root shell on my machine (yes or no, or I don't know):
Using Certify the Web as my client on Windows 11.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
Client is Certify the Web, version of Certify Certificate Manager is 6.0.18.0

What does this error usually mean? What am I missing?

Thank you!
Kevin

1 Like

Hello @, welcome to the Let's Encrypt community. :slightly_smiling_face:

Well it looks like nobody form the outside can see your machine.

$ nmap -Pn -p25,80,443,465,587,993 vpn.newpathmhs.com
Starting Nmap 7.80 ( https://nmap.org ) at 2024-05-28 09:31 PDT
Nmap scan report for vpn.newpathmhs.com (207.153.10.50)
Host is up.
rDNS record for 207.153.10.50: 207-153-10-50.static.fttp.usinternet.com

PORT    STATE    SERVICE
25/tcp  filtered smtp
80/tcp  filtered http
443/tcp filtered https
465/tcp filtered smtps
587/tcp filtered submission
993/tcp filtered imaps

Nmap done: 1 IP address (1 host up) scanned in 3.32 seconds

Update: Ports 4433 and 4443 are Open.

$ nmap -Pn -p25,80,443,465,587,993,4433,4443 vpn.newpathmhs.com
Starting Nmap 7.80 ( https://nmap.org ) at 2024-05-28 09:33 PDT
Nmap scan report for vpn.newpathmhs.com (207.153.10.50)
Host is up (0.063s latency).
rDNS record for 207.153.10.50: 207-153-10-50.static.fttp.usinternet.com

PORT     STATE    SERVICE
25/tcp   filtered smtp
80/tcp   filtered http
443/tcp  filtered https
465/tcp  filtered smtps
587/tcp  filtered submission
993/tcp  filtered imaps
4433/tcp open     vop
4443/tcp open     pharos

Nmap done: 1 IP address (1 host up) scanned in 1.89 seconds
2 Likes

I can't connect to port 4433, but on port 4443, you're only sending the end leaf certificate without the intermediate certificate.

How did you install the certificate and chain, provided by Certify the Web, into your Fortigate device?

@Bruce5051 Please read the post; apparently the ports of interest are possibly 4433 and also 4443. Not regular webserver ports.

3 Likes

@Osiris I just did and edit my post. Thank you very much @Osiris! :slight_smile:

4 Likes

Please see Verifying a certificate - #5 by jsha

Here is what I see on Port 4433; https://decoder.link/sslchecker/vpn.newpathmhs.com/4433

$ openssl s_client -showcerts -servername vpn.newpathmhs.com -connect vpn.newpathmhs.com:4433 < /dev/null
CONNECTED(00000003)
depth=0 CN = vpn.newpathmhs.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = vpn.newpathmhs.com
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN = vpn.newpathmhs.com
verify return:1
---
Certificate chain
 0 s:CN = vpn.newpathmhs.com
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: May 22 16:08:35 2024 GMT; NotAfter: Aug 20 16:08:34 2024 GMT
-----BEGIN CERTIFICATE-----
MIIE8jCCA9qgAwIBAgISBFI3y8lgfHkEtewqqhnKuTEkMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yNDA1MjIxNjA4MzVaFw0yNDA4MjAxNjA4MzRaMB0xGzAZBgNVBAMT
EnZwbi5uZXdwYXRobWhzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAMchTm4wLumuDH6SY1RxnIgZEpEB4gZPjrtfz6MZTrjk3iozgPSjq0JUerNh
QCL+DbKHh+vPabpEXE8iWlWD0QMBfpvBpHWUDm3pOx8NaL6TOg01wZ1abcbbOtl9
VQ+E4znJDgYxY8Wz7Jp0pglgyC100TVb/ku5czbTnhTvrA3qhbpUE9PjyhHfEXxA
d7ocUve0ryTq2sXq5NAyzVLFh7lfpHVkicg9kXKc1NRYdp5zYq+ECa2JOBboax8v
rF0VTpR7+9SZnAh1Jeu8pOpsNDHE/2+I3V9FSNMQTjAfn5kXKrS0nAgAjqxGn76V
LIG68vQp63j3qQWADwrMv8J4jSsCAwEAAaOCAhUwggIRMA4GA1UdDwEB/wQEAwIF
oDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAd
BgNVHQ4EFgQU9z37tFGW5Nqlhc9qbVSbL+2RnP4wHwYDVR0jBBgwFoAUFC6zF7dY
VsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRw
Oi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNy
Lm9yZy8wHQYDVR0RBBYwFIISdnBuLm5ld3BhdGhtaHMuY29tMBMGA1UdIAQMMAow
CAYGZ4EMAQIBMIIBBQYKKwYBBAHWeQIEAgSB9gSB8wDxAHYAPxdLT9ciR1iUHWUc
hL4NEu2QN38fhWrrwb8ohez4ZG4AAAGPoUav1QAABAMARzBFAiEAlmxWHkUE5EVH
bqvINWopwrJ50XJQxo8NN+UOJPEezqICIHTfDDjH+uIIFfnD9VGmU0nZcMXp/SzY
N+PnnLeq2L4sAHcA7s3QZNXbGs7FXLedtM0TojKHRny87N7DUUhZRnEftZsAAAGP
oUav0gAABAMASDBGAiEA1dHwcUuZj7VAi1t3ovc2qsL4jvUEP7UNNfH0xRc55j4C
IQDsvp9bbbPnUMook0EfOBBmbwqekqfwITAfb690H5qddTANBgkqhkiG9w0BAQsF
AAOCAQEArpmV4m0UDPeuX0c79G0NnjOg10pKgtWDQ2WlHdeeMQdVUc4e9GYDb9QX
xWV/Ke91ioeBIJ1ZFWPIB5Y5zG1JpQnNFeMdTWPxExKySlT9J1idI8nLk0W9W4up
6w0d34iMXDn84Fysphx9kvEDBybOT3+GnjgPiaIhXEItDQnG8wERXuY5jiAhmuJk
jAmL8SOKV1htsUkwevD867W0Eks6SN6B5TDlWGSxtimB4LFbE0sfZNvflu2MJDu3
xa21IHUyoXjhWzOShGR8WlXgWO/r5JNNcMpwD7DKTmQrpYMDgoePurSt8k5xEDCM
W8y9CsiiuoiBA+8Fh6vjvCebYpcKIg==
-----END CERTIFICATE-----
---
Server certificate
subject=CN = vpn.newpathmhs.com
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, secp384r1, 384 bits
---
SSL handshake has read 1988 bytes and written 785 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
---
DONE

Here is what I see on Port 4443; https://decoder.link/sslchecker/vpn.newpathmhs.com/4443

$ openssl s_client -showcerts -servername vpn.newpathmhs.com -connect vpn.newpathmhs.com:4443 < /dev/null
CONNECTED(00000003)
depth=0 CN = vpn.newpathmhs.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = vpn.newpathmhs.com
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN = vpn.newpathmhs.com
verify return:1
---
Certificate chain
 0 s:CN = vpn.newpathmhs.com
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: May 22 16:08:35 2024 GMT; NotAfter: Aug 20 16:08:34 2024 GMT
-----BEGIN CERTIFICATE-----
MIIE8jCCA9qgAwIBAgISBFI3y8lgfHkEtewqqhnKuTEkMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yNDA1MjIxNjA4MzVaFw0yNDA4MjAxNjA4MzRaMB0xGzAZBgNVBAMT
EnZwbi5uZXdwYXRobWhzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAMchTm4wLumuDH6SY1RxnIgZEpEB4gZPjrtfz6MZTrjk3iozgPSjq0JUerNh
QCL+DbKHh+vPabpEXE8iWlWD0QMBfpvBpHWUDm3pOx8NaL6TOg01wZ1abcbbOtl9
VQ+E4znJDgYxY8Wz7Jp0pglgyC100TVb/ku5czbTnhTvrA3qhbpUE9PjyhHfEXxA
d7ocUve0ryTq2sXq5NAyzVLFh7lfpHVkicg9kXKc1NRYdp5zYq+ECa2JOBboax8v
rF0VTpR7+9SZnAh1Jeu8pOpsNDHE/2+I3V9FSNMQTjAfn5kXKrS0nAgAjqxGn76V
LIG68vQp63j3qQWADwrMv8J4jSsCAwEAAaOCAhUwggIRMA4GA1UdDwEB/wQEAwIF
oDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAd
BgNVHQ4EFgQU9z37tFGW5Nqlhc9qbVSbL+2RnP4wHwYDVR0jBBgwFoAUFC6zF7dY
VsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRw
Oi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNy
Lm9yZy8wHQYDVR0RBBYwFIISdnBuLm5ld3BhdGhtaHMuY29tMBMGA1UdIAQMMAow
CAYGZ4EMAQIBMIIBBQYKKwYBBAHWeQIEAgSB9gSB8wDxAHYAPxdLT9ciR1iUHWUc
hL4NEu2QN38fhWrrwb8ohez4ZG4AAAGPoUav1QAABAMARzBFAiEAlmxWHkUE5EVH
bqvINWopwrJ50XJQxo8NN+UOJPEezqICIHTfDDjH+uIIFfnD9VGmU0nZcMXp/SzY
N+PnnLeq2L4sAHcA7s3QZNXbGs7FXLedtM0TojKHRny87N7DUUhZRnEftZsAAAGP
oUav0gAABAMASDBGAiEA1dHwcUuZj7VAi1t3ovc2qsL4jvUEP7UNNfH0xRc55j4C
IQDsvp9bbbPnUMook0EfOBBmbwqekqfwITAfb690H5qddTANBgkqhkiG9w0BAQsF
AAOCAQEArpmV4m0UDPeuX0c79G0NnjOg10pKgtWDQ2WlHdeeMQdVUc4e9GYDb9QX
xWV/Ke91ioeBIJ1ZFWPIB5Y5zG1JpQnNFeMdTWPxExKySlT9J1idI8nLk0W9W4up
6w0d34iMXDn84Fysphx9kvEDBybOT3+GnjgPiaIhXEItDQnG8wERXuY5jiAhmuJk
jAmL8SOKV1htsUkwevD867W0Eks6SN6B5TDlWGSxtimB4LFbE0sfZNvflu2MJDu3
xa21IHUyoXjhWzOShGR8WlXgWO/r5JNNcMpwD7DKTmQrpYMDgoePurSt8k5xEDCM
W8y9CsiiuoiBA+8Fh6vjvCebYpcKIg==
-----END CERTIFICATE-----
---
Server certificate
subject=CN = vpn.newpathmhs.com
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1952 bytes and written 753 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
---
DONE
2 Likes

This usually happens for one of 2 reasons:

1- The Server is not configured with a correct Certificate Chain
2- The Client does not have the Root Certificate in their Trust Store

For the first part, when you get a Certificate there are 3 main components:

  • The Certificate for your domain. AKA "leaf" or "end entity" certificate.
  • A "Chain" of Certificates that link your Certificate up to a "Trusted Root" that is expected to be in the client computer's trust store.
  • The secret PrivateKey only you know about.

Your Certificate covers vpn.newpathmhs.com and was signed by the "R3" Certificate from LetsEncrypt. You need to make sure your server is configured to serve the R3 as a chain. (see Chains of Trust - Let's Encrypt )

Another possible issue, is the PCI validation vendor does not have the current root in their trust store.

By default, R3 chains up to "ISRG Root X1" which is in most operating systems shipped after 2016. (See Certificate Compatibility - Let's Encrypt). There is limited support - which will end within 3 months - to chain up from X1 to a cross-signed DST root that is in more operating systems.

The error is most likely due to not configuring the system with the correct chain (or any chain).

It's impossible to give you an accurate answer though, because:

1- We don't know what software your vendor is using. The error generated by one system has no relation to errors generated by others.

2- This is a VPN system, so we don't have access to it.

5 Likes