Unable to get Local Issuer Certificate - How to Fix?

The error "Unable to get Local Issuer Certificate" typically occurs when there is a problem with the SSL certificate chain. SSL certificates help encrypt and secure communication over the internet, and when this error arises, it generally means that the client (such as a browser, API client, or other tool) cannot verify the authenticity of the SSL certificate presented by the server because it doesn't have the necessary intermediary certificates or the root certificate authority (CA) isn't trusted.

This issue is often encountered when using tools such as Git, cURL, or OpenSSL, but can also happen in web browsers or any software relying on SSL/TLS connections. Here’s a comprehensive guide on understanding and fixing this issue.

1. Understanding the Error

SSL certificates are typically issued in a chain. The chain begins with the root certificate authority (CA) that is implicitly trusted by most operating systems and browsers. The root CA issues intermediate certificates, which in turn issue the final certificate to a specific domain or service.

If the chain is broken, meaning the client can’t trace the server’s certificate back to a trusted root CA, the "Unable to get Local Issuer Certificate" error occurs. This can happen due to missing intermediary certificates, untrusted root CAs, or outdated certificate stores.

2. Common Scenarios Where the Error Appears

• cURL: When trying to connect to a website via HTTPS using cURL, the error might arise because cURL is unable to verify the certificate chain due to a missing or outdated certificate store on the client.
• Git: This error can occur in Git when pushing or pulling from a remote repository using HTTPS if Git can’t verify the SSL certificate of the remote server.
• Browsers: Browsers may show this error if the website’s SSL certificate chain is incomplete or if an organization’s root CA isn’t trusted.

3. How to Fix the Error

The fix will depend on the tool or platform encountering the issue. Below are steps to resolve it in several common contexts.

Fixing the Error in cURL

When using cURL, the issue often arises due to an outdated or missing CA certificate bundle. Follow these steps to fix it:

1. Update cURL's CA Certificates: Most systems maintain a CA certificate bundle that cURL uses. On Unix-based systems (like Linux and macOS), this bundle is usually located at /etc/ssl/certs/ca-certificates.crt or a similar location.

• For Debian/Ubuntu, run:

sudo apt-get update
sudo apt-get install --reinstall ca-certificates

• For Red Hat/CentOS, run:

sudo yum reinstall ca-certificates

2. Provide Custom CA Bundle: If you have a custom CA bundle, you can explicitly tell cURL to use it:

curl --cacert /path/to/custom-ca-bundle.crt https://example.com

3. Bypass SSL Verification (not recommended): You can temporarily disable certificate validation, but this should be used cautiously as it exposes you to potential security risks:

curl -k https://example.com

Fixing the Error in Git

Git relies on cURL or OpenSSL for HTTPS connections, and the error typically indicates that Git cannot find a trusted CA to verify the remote server’s certificate. Here’s how to fix it:

1. Update Git’s CA Certificates: Similar to cURL, you should ensure that Git is using the latest CA certificate bundle. On most systems, Git uses the same CA certificate store as cURL, so updating your system’s certificates should resolve the issue.

2. Configure Git to Use a Specific CA File:

• Download a valid CA certificate from a trusted source or your organization’s network.
• Configure Git to use it:

git config --global http.sslCAInfo /path/to/ca-bundle.crt

3. Disable SSL Verification (not recommended): Similar to cURL, you can bypass certificate verification for Git, but this weakens security:

Fixing the Error in Browsers

If you're encountering this error in a web browser, it might be due to a misconfigured SSL certificate on the server, such as a missing intermediate certificate. Here are the steps:

1. Check the Server’s SSL Certificate: Use an online tool like SSL Labs’ SSL Test to check if the server has properly configured the certificate chain.

2. Add Missing Intermediate Certificates: If you are managing the server, ensure that all required intermediate certificates are provided. This can usually be done by adding the intermediate certificates to your web server configuration.

• For example, in Apache, you might add the SSLCertificateChainFile directive:

SSLCertificateChainFile /path/to/intermediate-certificate.crt

4. Preventing Future Issues

• Keep CA Bundles Updated: Always keep your system’s CA certificates up-to-date to avoid encountering these types of errors.
• Regularly Check Certificate Chains: If you're managing servers, periodically verify your SSL certificate chains with online tools to ensure that all intermediates are included.
• Trust Custom Root CAs: In enterprise environments, ensure that any custom root CAs are properly trusted on all clients.

By following these steps, you can resolve the "Unable to get Local Issuer Certificate" error and ensure secure and trusted connections across various tools and platforms.