What Does Unable to Get Local Issuer Certificate Error Mean?
The “Unable to Get Local Issuer Certificate” error is a common SSL/TLS-related issue that can occur in various situations, such as when making API calls, accessing web services, or running command-line tools. This error indicates that your system cannot verify the SSL certificate of the remote server you’re trying to connect to.
Getting the “unable to get local issuer certificate” error can be frustrating, as it prevents you from accessing certain websites and services. This error indicates an issue with the SSL/TLS certificate configuration on the server you are trying to connect to.
The good news is this error can often be fixed by making some configuration changes on your device. In this guide, I’ll walk you through the most common solutions to resolve the “unable to get local issuer certificate” error on Windows, Mac, iPhone/iPad, and Android devices.
Key Takeaways
- The “unable to get local issuer certificate” error occurs when there is an issue with the SSL/TLS certificate configuration on the server you are connecting to.
- On Windows, you can fix this by clearing your SSL state cache, making sure your date/time is correct, and installing any required root certificates.
- For Mac, clearing app caches, updating your date/time, trusting root certificates, and using a VPN can resolve the error.
- On iPhone/iPad, revoking and reinstalling certificates, setting the date/time automatically, and using a VPN help fix the problem.
- On Android, clearing app caches and data, checking date/time accuracy, and using a VPN are some solutions to try.
What Causes the “Unable to Get Local Issuer Certificate” Error?
The “unable to get local issuer certificate” error typically arises due to issues with the SSL/TLS certificate configuration. Specifically, there are a few common causes:
- Misconfiguration of root and intermediate certificates during SSL communication between the client and server. The root certificate may not be functioning correctly when the client sends a request to the HTTPS source, preventing the successful identity verification.
- Use of a self-signed SSL certificate. Self-signed certificates are commonly used for internal servers or testing environments, but they are not recognized by browsers and operating systems, leading to this error.
- Incorrect SSL certificate chain. The SSL certificate chain, including the root and any intermediate certificates, must be properly configured for the client to verify the server’s identity.
- Outdated or missing SSL/TLS libraries on the client-side. If the necessary SSL/TLS libraries are not up-to-date or are missing, the client may be unable to verify the server’s certificate.
Understanding the underlying causes of this error is crucial for implementing the appropriate fixes, which may involve configuring the certificate chain, updating SSL/TLS libraries, or using a trusted SSL certificate.
How to Fix SSL Certificate Problem: Unable to get Local Issuer Certificate
There are two solutions for .PEM file format, and.CRT file format. We will first see a solution related to this .PEM file format.
Solutions for .PEM File Format
Modify the php.ini File (Maintain SSL)
When you execute a PHP script, the system runs the php.ini configuration file. You can locate the php.ini file within the directory of the PHP installation on the system drive. Access the php.ini file through the control panel, and follow the precise process outlined below to edit it.
- First, you need to download the cacert.pem file, which can be downloaded from https://curl.haxx.se/ca/cacert.pem.
- Then, copy the cacert.pem file into your version of the Zend/OpenSSL directory.
- Next, open the php.ini file and modify the cURL configuration by adding the line “cainfo = ‘/usr/local/openssl-0.9.8/certs/cacert.pem'”.
- Finally, restart PHP and check if cURL can now read the HTTPS URL.
Do Not Change php.ini (Maintain SSL)
In the previous method, we saw how to fix the “Unable to get local Issuer certificate” error by modifying the php.ini file. However, an alternative approach is to maintain the SSL configuration without changing the php.ini file. You can use the following code to achieve this.
$ch = curl_init();
$certificate_location = ‘/usr/local/openssl-0.9.8/certs/cacert.pem’;
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, $certificate_location);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, $certificate_location);
Disable SSL
Another potential troubleshooting solution is to disable the SSL certificate verification and then re-enable it. However, while this may resolve the problem, it is not a recommended approach.
Disabling SSL certificate verification bypasses important security measures, leaving connections vulnerable to interception. This exposes users to significant security risks, including man-in-the-middle attacks and data breaches. You should only consider entering the code below to disable SSL as a last resort, and then immediately re-enable it once the issue is resolved.
$ch = curl_init();
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
The above solutions discussed previously can all address the “SSL Certificate Problem: Unable to get Local Issuer Certificate” error when dealing with the .PEM file format. Now, let’s explore a solution related to the .CRT file format.
Solutions for .CRT File Format
Get SSL Bundle
To resolve the issue, you should update the CA (Certificate Authority) bundle. This will help you obtain all the current root and intermediate certificates required for validating SSL connections. This process involves obtaining the latest certificates from trusted certificate authorities. You should download the CA Bundle file and save it on the server, preferably at the top-level directory. For example, you could save it at C:/xampp/htdocs/_certs/ca-bundle.crt.
Edit php.ini file
In the XAMPP server, you can locate the php.ini file by accessing the config button in the control panel. The location of the php.ini file may vary depending on the server setup. However, the default location is typically the /etc directory.
Once you have located the php.ini file, you will need to add the following lines to it:
[CA Certs]
curl.cainfo="C:/xampp/htdocs/_certs/ca-bundle.crt"
openssl.cafile="C:/xampp/htdocs/_certs/ca-bundle.crt"
Restart PHP
The method to restart PHP will vary depending on the server environment. For the XAMPP server, you need to turn off the Apache service and then turn it back on in the control panel.
On Linux servers, you can typically use the command “service php5-fpm restart” to restart the PHP service.
How to Fix Unable to get Local Issuer Certificate Error for Git Server
Many Git users also encounter the “unable to get local issuer certificate” error, and there are several ways to address such issues for Git servers.
This error can sometimes occur due to the use of self-signed certificates, which are common in internal testing environments. The Git server may display this error when faced with a self-signed certificate. Self-signed certificates are often used for internal services, and corporate companies may use them for their internal services, leading to the “Unable to get Local Issuer Certificate” error.
Change the php.ini File
The php.ini file can be created and edited through the control panel. It is typically located in the root directory of the domain.
Even on shared servers, the php.ini file can be easily edited or modified. In the following steps, we will see how to edit the php.ini file in the control panel to solve the “unable to get local issuer certificate” error.
- First, log in to cPanel.
- Navigate to the File Manager and select the PHP Software option.
- Locate and open the php.ini file.
- Click on the link http://curl.haxx.se/ca/cacert.pem to download the cacert.pem file.
- Copy the downloaded cacert.pem file to the openssl/zend directory (e.g., ‘/usr/local/openssl-0.9.8/certs/cacert.pem’).
- In the php.ini file, add the line “cainfo = ‘/usr/local/openssl-0.9.8/certs/cacert.pem'” to the cURL configuration.
- Finally, restart PHP and check whether cURL can now read the HTTPS URL.
Add SSL Certificate to Trusted Certificate Store
If you encounter the “Unable to Get Local Issuer Certificate” error while using Git Bash, you can try troubleshooting by adding the SSL certificate to the trusted certificate store. Here’s how to do it:
- Copy the Git SSL certificate.
- Navigate to the trusted certificate store, which is typically located at C:\Program Files\Git\mingw64\ssl\certs.
- Open the ca-bundle.crt file within the certificate store.
- Paste the copied Git SSL certificate at the end of the .crt file.
- Save the file to ensure the changes take effect.
Reinstall Git & choose SSL Transport Backend Option
- Uninstall Git via the Control Panel.
- After uninstallation, proceed as follows:
- Open a web browser (e.g., Google Chrome).
- Enter https://git-scm.com/download/win in the URL bar and press Enter.
- Download the suitable Git version for your system.
- During installation, ensure to select the SSL Transport Backend option for proper configuration.
Allow Repository Access to SSL Certificates or Reassign Path in VS Code
- You can reconfigure Git by running the command git config –global http.sslBackend schannel in the terminal.
- If an error happens due to accessibility, then open the terminal with admin rights and run the git config –system http.sslBackend schannel
- If an error persists due to location configuration, you can use the git config –global http.sslcainfo “Path” command to solve the error.
Deactivate SSL certificate
It is not recommended to deactivate SSL certificates, as it can leave your system vulnerable to cyber threats. However, if you need to temporarily disable SSL certificates, you can do so in the following ways:
- Git at Local Level: Use the below command
git -c http.sslVerify=false clone [URL]
- Git at Global Level: Use the below command
git config --global http.sslVerify false
- To re-enable the SSL certificate, use the following command:
git config --global http.sslVerify true
Permanently Fix it for Git Users
If you are a Git user facing the ‘git SSL certificate problem unable to get local issuer certificate’ error, then you need to tell Git where the CA bundle is located.
To help Git find the CA bundle, use the following command:
git config --system http.sslCAPath /absolute/path/to/git/certificates
Temporary Fix it for Git Users
To temporarily fix the ‘SSL certificate problem: unable to get local issuer certificate’ error, you could disable the verification of your SSL certificate. However, this approach is not recommended as it could lower your website’s security.
Use the following command to disable the verification of your SSL certificate:
git config --global http.sslVerify false
If neither of the two options work, consider removing and reinstalling Git.
Unverified Self-signed SSL Certificate
An unverified self-signed SSL certificate means that anyone can sign the certificate by generating their own signing key. Operating systems and web browsers may not be able to verify the identity of the signer. This can lead to errors like “SSL certificate problem: unable to get local issuer certificate” or “curl: (60) SSL certificate problem: unable to get local issuer certificate”.
Solution: To fix this, purchase an SSL certificate from a trusted certificate authority. The certificate authority will authenticate the certificate so that operating systems and browsers recognize it as valid. Then install the authenticated SSL certificate.
Final Thoughts
In conclusion, the “unable to get local issuer certificate” error is a common issue faced by Git users, but it can be resolved through a few straightforward steps. The permanent solution involves configuring Git to recognize the correct CA bundle path, while the temporary fix involves disabling SSL verification, though the latter approach should be used cautiously as it compromises security.
By following the steps outlined in this guide, you can quickly resolve the SSL certificate problem and ensure your Git operations run smoothly without compromising the security of your website or application. Maintaining a secure SSL certificate remains the best long-term solution for protecting your online presence.
Frequently Asked Questions about Local Issuer Certificate Errors
What is a local issuer certificate error?
It’s an SSL/TLS error that occurs when your device does not trust the certificate authority (CA) that issued the website’s security certificate, meaning it cannot verify the certificate is valid.
Why is the unable to get local issuer certificate error happening?
It’s typically caused by an untrusted or invalid certificate on the server you are connecting to. It can also happen if your device lacks the root certificates required to verify the certificate chain.
How do I fix the local issuer certificate error on iPhone?
On iPhone, try revoking and reinstalling the problematic certificates, setting the date/time to automatic, and using a trusted VPN app. If issues persist, contact the server admin.
Why am I suddenly getting a local issuer certificate error?
It usually occurs suddenly if the affected website just renewed its certificates or changed its SSL/TLS configuration. Your device no longer trusts the new certificate chain.
How do I fix the local issuer certificate error on Android?
Solutions include clearing app caches/data, ensuring the date/time is accurate, installing any required CA certificates, and temporarily bypassing the issue using a VPN app.
Can I ignore the unable to get local issuer certificate error?
It’s not recommended. This error makes the website’s connection insecure and vulnerable to man-in-the-middle attacks. It would help if you resolved it.
Priya Mervana
Verified Web Security Experts
Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.
