Unable to get local issuer certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

Also i downloaded the * Certificate details (signed by ISRG Root X2)

I ran this command:
openssl s_client -connect onlineshop-qa.hajoona-development.de:443 -tls1_2

It produced this output:

subject=CN=onlineshop-qa.hajoona-development.de
issuer=C=US, O=Let's Encrypt, CN=E6
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: ECDH, secp384r1, 384 bits
---
SSL handshake has read 2460 bytes and written 400 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.2, Cipher is ECDHE-ECDSA-AES256-GCM-SHA384
Protocol: TLSv1.2
Server public key is 384 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-AES256-GCM-SHA384
    Session-ID: C5230000B9833A92F4D09F3D01DEA28579329B1883F7863B6FE3B9CB68D30EF7
    Session-ID-ctx:
    Master-Key: 8444EE93082097E1B065E19FB526DA6FDB035ACA57877C3A680A5BB4CD4E14AD1F00E0F6CB9F978F0F197B29E8799F69
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1732009782
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
    Extended master secret: yes
---
read:errno=10054

My web server is (include version):
Windows server 2019 standard version 1809

The operating system my web server runs on is (include version):
Windows server 2019 standard version 1809

My hosting provider, if applicable, is:
Hosteurope

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): simple Windows ACMEv2 client (WACS)

The certificate currently being served is correct. "unable to get local issuer certificate" implies the machine your are testing on does not have an up to date ca-certificate bundle for openssl.e.g it doesn't know ISRG Root X1 or ISRG Root X2.

Are you testing from windows or linux?

Your certificate is ok: SSL Server Test: onlineshop-qa.hajoona-development.de (Powered by Qualys SSL Labs)

3 Likes

I am testing from window

The goal is to disable the tls1.0 and 1.1 and only allow tls1.2 but recently when we turned off the 1.0 and 1.1 the website was not accessable anymore and we have to turn on the tls 1.0 and 1.1.
the website connection is with tls1.2 but when we turn the older version of tls the website is not accessable anymore.

How did you do that?

1 Like

In registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0 set the "Enabled" = 0

You should try using this tool instead:
https://www.nartac.com/Products/IISCrypto/

[changes require reboot to take effect]

2 Likes

+1 on using IIS Crypto to configure your TLS protocol and cipher suites. Also be aware that if your server 2019 was an in-place upgrade from an older version of windows some important TLS ciphers may not be enabled, particular common ECDSA ones. If you don't enable the required cipher suites then the clients cannot establish a common cipher suite to communicate with.

You could switch your certificate key to RSA instead of EC, which would let you use RSA specific cipher suites.

As an aside, note that the developer of win-acme has forked the project into simple-acme and I'd expect that will get more updates in the future. Other windows based clients are also available :slight_smile:

2 Likes

yes i know about it and use the tool to implement the best practice that iiscrypto offer.

We regularly update the server and it is upto date.

which cipher suites does tls 1.2 required. Have any suggestion of link where i can find this information. We have enabled the SSL Cipher Suite Order policy and add many cipher but maybe we are missing some that are missing for tls 1.2.

Can you share other client details?

How are you testing that the website is accessible, which browser, operating system and version etc? What is the error reported?

2 Likes

right now we are not testing just doing the research to avoid the website not accessible issue. When we were testing we disabled the tls 1.0 and 1.1 also disabled weak cipher and only enabled tls 1.2 and when restarted the server the website was not accessible to anyone over internet. Now the changes are reverted and tls 1.0 and 1.1 and 1.2 is enabled and that is why the website can be accessed.

Then I would suggest you don't make registry changes [manually] and only use the suggested tool.

1 Like

I'd recommend snapshotting your VM and use it to create a test system, then connect to that by editing your hosts file to point the domain to the test VM IP. Then you can freely test changes without affecting production.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.