Using OpenSSL with Mozilla Root CA Bundle to Avoid unable to get local issuer certificate Errors


After struggling for a while, I finally got LE to issue the certificates I wanted, but they don’t seem to validate. That is if I run “openssl s_client -connect” I get a the following.

depth=1 /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
verify return:0
Certificate chain
0 s:/
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
Server certificate



I’m working with an Apache 2.2.3 server. When the certs were generated, I received four files cert1.pem, chain1.pem, fullchain1.pem, and privkey1.pem. The private key was easy to install. My server has ca.pem file that holds the certificate chain and a localhost.crt file that holds the certificate. I have tried installing the cert two different ways (well, actually as many ways as I can think of, but these are the main ones). I copied the fullchain1.pem file over to the ca.cert file and removed the bottom cert and moved it into the localhost.crt file. That didn’t work. I also tried copying the chain1.crt into ca.pem and cert1.pem into localhost.crt. The Apache setting are below.

SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateChainFile /etc/pki/tls/certs/ca.pem

Why can’t my server validate these certs?

Thank you.

OpenSSL’s s_client doesn’t use a root bundle for verification by default. If you’re verifying with the tool, make sure to include the “-CAfile” parameter and point it to the location of the root bundle on your system. The location can vary by distribution, but it’s usually under /etc/ssl, /etc/tls, or /etc/pki somewhere. In CentOS, it’s under /etc/pki/tls/certs/ca-bundle.crt, for example.

Altenrately, gnutls-cli works well and automatically uses the system root store to verify certificate chains. Likewise, ncat (included as part of nmap) also supports verifying certificate chains.


Hi @rdill17

Your server is correctly configured. You can also use an online scanner to verify this.

So others can benefit below are some screenshots.

A) Download the Mozilla CA Root Cert bundle from here:
B) Place it in a folder (I have used a folder called LE_TRAINING)

C) run as you have

openssl s_client -connect

D) Run with the CA Root Cert Bundle

openssl s_client -connect -CAfile .\MOZILLA_ROOT_BUNDLE.pem

E) There is one other test I recommend you do with OpenSSL and that is to check SNI behaviour

openssl s_client -connect -CAfile .\MOZILLA_ROOT_BUNDLE.pem -servername

Hope this helps. I would also suggest that you review Mozillas TLS Server Guidelines as you have some weak ciphers on your server.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.