Verify error:num=20:unable to get local issuer certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: openssl s_client -connect -servername

It produced this output:

root@ul18ipv46:/var/tmp/trash#  openssl s_client -connect -servername
depth=0 O = TrueNAS (Nextcloud), CN = localhost
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 O = TrueNAS (Nextcloud), CN = localhost
verify error:num=21:unable to verify the first certificate
verify return:1
Certificate chain
 0 s:O = TrueNAS (Nextcloud), CN = localhost
   i:O = TrueNAS (Nextcloud), CN = TrueNAS (Nextcloud) local Root CA
Server certificate
subject=O = TrueNAS (Nextcloud), CN = localhost

My web server is (include version): nginx 1.20.1

The operating system my web server runs on is (include version):TrueNAS-12.0-U5.1

My hosting provider, if applicable, is: self

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):1.18.0

Maybe I've missed it, but do you have a specific question for the Community?

1 Like

My bad - I am trying to figure out what's wrong with this certificate and how I can fix it? It also impacts my onlyoffice install in Nextcloud with a similar error. Pretty sure it has to do with this error too: Error when trying to connect (cURL error 60: SSL certificate problem: unable to get local issuer certificate (see libcurl - Error Codes)

It's a self signed certificate, probably generated by your NAS itself.

What do you want?

I'm guessing a Let's Encrypt certificate, but you're not explicitely stating/asking that.

Where does that error come from?

1 Like

This is a cert from Let's encrypt generated by certbot, I obviously want to fix the issue and get rid of this error so I will have working ssl connection and last error comes from onlyoffice in Nextcloud install. I've read a few similar topics with the same error but they are not much relevant to my case.

No, it's not:

It maybe wasn't a self-signed certificate, but it surely isn't a Let's Encrypt certificate!

I can see you've issued a LE cert fairly recently: |

However, for some reason your Nexcloud softeware isn't using it. How did you aquire the LE certificate last Thursday? You said certbot, but what exact command did you use? Including all the command line options please.

1 Like

certbot --nginx -d - then I entered my e-mails - went through some screens with questions , it failed a few times but then finally worked. certbot renew --dry-run - came back error

Well it must be a Nextcloud cert then

Ok, so let's check a few things. First, let's check if certbot still has the certificate laying around with the following command:

sudo certbot certificates

It should output your certificate.

Next, let's see the nginx configuration with the command:

sudo nginx -T

1 Like

nginx -t.txt (16.0 KB)

Could you please post the contents of /usr/local/etc/letsencrypt/live/truenas/fullchain.pem ? It should not contain any private key, just certificates.

1 Like

fullchain_truenas.txt (1.1 KB)

Well, that's weird.. That's the TrueNAS Nextcloud certificate.

It seems that darn piece of #)*$()# software just overwrote the certbot certificate? Assuming you didn't do that :stuck_out_tongue:

Could you perhaps also post the cert.pem and chain.pem from that same directory? Let's check if those files were kept unharmed.

1 Like

No I didn't . There is no cert.pem file in truenas folder but there is one in / though. I will post it just in case
cert.pem.txt (1.8 KB)
chain.pem (1.2 KB)

Ooohh, wait, I didn't see that just now! My bad.

Ah yes, that's your Let's Encrypt certificate! That's good.

The chain.pems are from Nextcloud, they're probably from the truenas folder (which I didn't notice, so sorry about that).

Can you also post fullchain.pem and chain.pem from the / folder? Just to make sure everything is OK there.. And for in case those files are all fine, could you also post the contents of /usr/local/etc/letsencrypt/renewal/ ? Because we need to fix two things: your Nextcloud and your certbot for renewal.

1 Like

Sure - here you gofullchain.pem|attachment (5.5 KB)
chain.pem (3.7 KB)

renew_before_expiry = 30 days

version = 1.18.0
archive_dir = /usr/local/etc/letsencrypt/archive/
cert = /usr/local/etc/letsencrypt/live/
privkey = /usr/local/etc/letsencrypt/live/
chain = /usr/local/etc/letsencrypt/live/
fullchain = /usr/local/etc/letsencrypt/live/

Options used in the renewal process

account = 41e216181510ed12c1199f2c3d63b7e4
authenticator = nginx
installer = nginx
server = (5.5 KB)

chain.pem is looking good. However, the upload of fullchain.pem for some reason didn't work properly. And cert.pem neither.

Your renewal configuration looks sane, let's upload cert.pem and fullchain.pem again just to make sure.

Hmm, nevermind fullchain.pem, you can download the not-working "figure": it's fullchain.pem :rofl:

1 Like

How do I do that?

Hm, curious.. Your fullchain.pem seems to be broken. The FINAL line with:


seems to be missing a single dash: -

It should be:


Maybe it'll fix your certbot certificates problem!

And for your nextcloud: change the following lines:

  ssl_certificate /usr/local/etc/letsencrypt/live/truenas/fullchain.pem;
  ssl_certificate_key /usr/local/etc/letsencrypt/live/truenas/privkey.pem;


  ssl_certificate /usr/local/etc/letsencrypt/live/;
  ssl_certificate_key /usr/local/etc/letsencrypt/live/;

And reload nginx.