We all know the essence of an SSL certificate. The certificate offers robust end-to-end encryption to ensure user data and communications between web servers and website browsers. But while using the SSL certificate, you will likely come across the “Unable to get local issuer certificate” error. Although this problem is not so common, it is prudent to arm yourself with adequate knowledge and skills to solve the problem if and when it occurs. This guide will explore some of the troubleshooting solutions to fix this error. But let us start by understanding the cause of the error.
Cause Of SSL Certificate Problem: Unable to Get Local Issuer Certificate
The error results from misconfiguration while sending all the intermediate and root certificates to the web server during the SSL/TLS communication between website servers and browsers (client).
Sometimes when using an HTTPS connection and making a request to a secure HTTPS source, you will be required to verify your identity by sharing your SSL certificate. This is because all details pertaining to the organizations are usually embedded in the SSL certificate. The Certificate Problem: Unable to Get Local Issuer Certificate error is a clear indication that the system’s root certificates are not working as properly as they should.
Fixing the SSL Certificate Problem: Unable to get Local Issuer Certificate
There are three possible solutions you can use to fix this problem. These fixes are explained below:
1. Editing or changing php.ini
Here is the step-by-step guide to fixing this problem by changing the php.ini:
Step 1: First, you will have to download the cacert.pem by clicking on the following link: http://curl.haxx.se/ca/cacert.pem
Step 2: Secondly, you should copy the cacert.pem file you just downloaded into zend/openssl version. For example, the file should appear like ‘/usr/local/openssl0.9.8/certs/cacert.pem’.
Step 3: Next, you should open the php.ini and modify some elements in the CURL configuration by adding the command below:
cainfo = ‘/usr/local/openssl-0.9.8/certs/cacert.pem
Step 4: Step 4 involves restarting the PHP to determine if the CURL can read the HTTPS URL.
2. No Need To Change php.ini
The second troubleshooting solution is pretty much straightforward. You do have to edit or change anything in the php.ini. All you have to do is to add the following code while maintaining SSL:
$ch = curl_init();
$certificate_location = ‘/usr/local/openssl-0.9.8/certs/cacert.pem’;
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, $certificate_location);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, $certificate_location);
3. Disable SSL Certificate
Although this is not recommended, disabling SSL certificate could also help to resolve the “Unable to get local issuer certificate” problem. All you have to do is to enter the following code:
$ch = curl_init();
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
Permanent Fix GIT users
For GIT users looking for a permanent solution, it is good that you locate the CA bundle and inform GIT about the same. You should run the following command to help GIT find the location:
git config –system Http.sslCAPath /absolute/path/to/git/certificates.
Wrapping It Up
SSL certificate is a reliable security measure to safeguard internet resources against malicious attackers. Keeping this in mind, it is not a good idea to uninstall the SSL certificate just because you want to fix a minor issue of SSL configuration. Doing so might weaken the security of your website and invite a host of attackers to your website. The solutions I have explained above will help you solve the “Unable to get local issuer certificate” error. We will keep on posting more troubleshooting articles on this blog to help you with technical and nontechnical SSL certificate issues. Stay tuned.