How to Fix Unable to get Local Issuer Certificate

Last updated: December 16, 2022
David Cao
DevOps

“Unable to get Local Issuer Certificate” is a common SSL certificate error. It is related to the incomplete certificate chain such as (most commonly) missing the intermediate certificate. The fix is to ensure the entire certificate chain is present.

We will dive into this issue to see why this happens and how to fix it.

Understanding certificate chain

A certificate chain is an ordered list of certificates, containing an SSL/TLS server certificate, intermediate certificate, and Certificate Authority (CA) Certificates, that enable the receiver to verify that the sender and all CA’s are trustworthy.

Root Certificate. A root certificate is a digital certificate that belongs to the issuing Certificate Authority. It comes pre-downloaded in most browsers and is stored in what is called a “trust store.” The root certificates are closely guarded by CAs.
Intermediate Certificate. Intermediate certificates branch off root certificates like branches of trees. They act as middle-men between the protected root certificates and the server certificates issued out to the public. There will always be at least one intermediate certificate in a chain, but there can be more than one.
Server Certificate. The server certificate is the one issued to the specific domain the user is needing coverage for.

We will use these files in this example.

CA certificate file (usually called ca.pem or cacerts.pem)
Intermediate certificate file (if exists, can be more than one. If you don’t know if you need an intermediate certificate, run through the steps and find out)
Server certificate file

How to get a free SSL certificate?

If you need a free SSL certificate for your website, Elementor Cloud Website is a great option. They offer fast speeds, good uptime, and excellent customer support. It is an end-to-end solution gives you everything you need in one place for your website. Web Hosting on Google Cloud + SSL certificate + WordPress + Website Builder + Templates.

We recommend using Elementor Cloud Website to build a website. It is very easy to start. You can get your website online in minutes. The price is $99 for one year. Plus, they offer a 30-day money-back guarantee, so you can try it out with no risk.

How do Certificate Chains work?

When we install our TLS certificate, we also be sent an intermediate root certificate or bundle.

When a browser downloads our website’s TLS certificate upon arriving at our homepage, it begins chaining that certificate back to its root. It will begin by following the chain to the intermediate that has been installed, from there it continues tracing backwards until it arrives at a trusted root certificate.

If the certificate is valid and can be chained back to a trusted root, it will be trusted. If it can’t be chained back to a trusted root, the browser will issue a warning about the certificate.

View Certificate Chain

Use the openssl utility that can display a certificate chain. The following command will display the certificate chain for google.com.

openssl s_client -connect google.com:443 -servername google.com

0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
i:/C=US/O=Google Inc/CN=Google Internet Authority G2
1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority

In the openssl output, the numbered lines start with the server certificate (#0) followed by the intermediate (#1) and the root (#2).

The s: indicates the certificate subject, and i: indicates the issuing certificate’s subject.

Guidelines to verify the certificate chain is valid

Subject of each certificate matches the Issuer of the preceding certificate in the chain (except for the Entity certificate).
Subject and Issuer are the same for the root certificate.

If the certificates in the chain adhere to these guidelines, then the certificate chain is considered to be complete and valid.

The Subject of the intermediate certificate matches the Issuer of the entity certificate.
The Subject of the root certificate matches the Issuer of the intermediate certificate.
The Subject and Issuer are the same in the root certificate.

Example of a valid certificate chain

server certificate

openssl x509 -text -in entity.pem | grep -E '(Subject|Issuer):'

Issuer: C = US, O = Google Trust Services, CN = GTS CA 1O1
Subject: C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.enterprise.apigee.com

Intermediate certificate

openssl x509 -text -in intermediate.pem | grep -E '(Subject|Issuer):'

Issuer: OU = GlobalSign Root CA – R2, O = GlobalSign, CN = GlobalSign
Subject: C = US, O = Google Trust Services, CN = GTS CA 1O1

Root certificate

openssl x509 -text -in root.pem | grep -E '(Subject|Issuer):'

Issuer: OU = GlobalSign Root CA – R2, O = GlobalSign, CN = GlobalSign
Subject: OU = GlobalSign Root CA – R2, O = GlobalSign, CN = GlobalSign

Check SSL Certificate with OpenSSL

Validate certificate chain with server and root Certificate

openssl verify cert.pem

cert.pem: C = Country, ST = State, O = Organization, CN = FQDN
error 20 at 0 depth lookup:unable to get local issuer certificate

We can use the following two commands to make sure that the issuer in the server certificate matches the subject in the ca certificate.

openssl x509 -noout -issuer -in cert.pem

issuer= /CN=the name of the CA

$ openssl x509 -noout -subject -in ca.pem

subject= /CN=the name of the CA

In the following case, we need to add the CAfile to verify the root certificate.

$ openssl verify -CAfile ca.pem cert.pem

cert.pem: OK

Validate certificate chain with server, intermediate, and root Certificate

$ openssl verify cert.pem

cert.pem: C = Countrycode, ST = State, O = Organization, CN = yourdomain.com
error 20 at 0 depth lookup:unable to get local issuer certificate

To complete the validation of the chain, we need to provide the CA certificate file and the intermediate certificate file when validating the server certificate file.

We can do that using the parameters CAfile (to provide the CA certificate) and untrusted (to provide intermediate certificate):

$ openssl verify -CAfile ca.pem -untrusted intermediate.cert.pem cert.pem

cert.pem: OK

If we have multiple intermediate CA certficates, we can use the untrusted parameter multiple times like -untrusted intermediate1.pem -untrusted intermediate2.pem .

Fix routines:X509_check_private_key:key values mismatch in 2 Ways

David Cao

David is a Cloud & DevOps Enthusiast. He has years of experience as a Linux engineer. He had working experience in AMD, EMC, and Cisco company. He likes Linux, Python, bash, and more. He is a technical blogger and a Software Engineer. He enjoys sharing his learning and contributing to open-source.

Welcome to howtouselinux.com!

Our website is dedicated to providing comprehensive information on using Linux.

We hope you find our site helpful and informative, and we welcome your feedback and suggestions for future content.

Learn More

3 ways to check FIPS in Linux

FIPS is an acronym that stands for Federal Information Processing Standards. It is a set of standards and guidelines developed by the United States federal

2 ways to check selinux status in Linux

Security-Enhanced Linux (SELinux) is a security architecture for Linux systems that allows administrators to have more control over who can access the system. It was

3 ways to get AWS S3 bucket size

When it comes to Amazon Web Services (AWS), S3 is one of the most popular services. This is because S3 provides a secure and scalable

How to get AWS Instance ID

If you’re running a business on Amazon Web Services (AWS), then you know that instances are an important part of your infrastructure. It’s crucial to

Understanding /etc/resolv.conf file in Linux

The /etc/resolv.conf file is a configuration file used by the Linux operating system to store information about Domain Name System (DNS) servers. This file contains

How to list repository in Linux

In Linux, a repository is a collection of software packages that are available for installation on your system. Think of it as an app store

How to Find Your IP Address in Ubuntu Linux

If you’re having trouble connecting to the internet or other devices on the network, checking your IP address can help you determine if the issue

2 ways to use Linux ip addr command

As a Linux user, you may have used the ip addr command at some point. But do you know what this command does and how

3 ways to fix ping: cannot resolve Unknown host

“ping: cannot resolve Unknown host” is an error message that typically appears when the ping command is used to try and reach a hostname that