SSL Error: unable to get local issuer certificate

An SSL certificate serves as a vital safeguard for securing the communication between a server and a browser, thwarting any unauthorized interception of sensitive data by third parties. It facilitates SSL/TLS encryption, encapsulating the website's public key and identity, while encompassing essential information for ensuring the integrity and authenticity of the website.


how to solve unable to get local issuer certificate

Reason for unable to get local issuer certificate

The SSL certificate serves a crucial role in verifying authentication and ensuring secure data exchange between the server and the client, achieved through the HTTPS protocol. During the SSL handshake, the client receives the server's certificate and its private key to establish the SSL connection. To ensure trust in the server's certificate and prevent man-in-the-middle attacks, the client must possess the CA certificate that signed the server certificate. However, in this case, the TLS server fails to send the complete certificate chain during the handshake, specifically omitting the intermediate certificate, which is essential according to standards.

Solution: Unable to get Local Issuer Certificate

The most effective solution to address this issue is to obtain a reliable SSL certificate from a trustworthy Certificate Authority (CA) and properly install it. However, it is essential for the server administrators to address the root cause of the problem, as this issue is related to the server setup. By rectifying the server configuration, the complete certificate chain, including the intermediate certificate, should be sent during the handshake, ensuring a secure and seamless SSL connection.

Change php.ini (Maintain SSL)

  1. Download cacert.pem from https://curl.haxx.se/ca/cacert.pem
  2. Then, copy cacert.pem into your version of zend/openssl.
    For example, '/usr/local/openssl0.9.8/certs/cacert.pem'.
  3. Mdify the CURL configuration by adding:
    "cainfo = '/usr/local/openssl-0.9.8/certs/cacert.pem'"

Without Altering php.ini file (Maintain SSL)

$ch = curl_init(); $certificate_location = '/usr/local/openssl-0.9.8/certs/cacert.pem'; curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, $certificate_location); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, $certificate_location);

For .CRT Format

  1. Go for the SSL bundle – ca-bundle.crt
  2. You can acquire the SSL bundle by copying the below URL content on your server.
  3. https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt

Restart PHP

Different servers have different ways to restart PHP. After restarting PHP and see whether the CURL is able to read HTTPS URL or not.

Git Users

To help Git find the CA bundle, use the below-mentioned command:

git config –system http.sslCAPath /absolute/path/to/git/certificates

Temporary Fix

Use the following command to disable the verification of your SSL certificate :

git config –global http.sslVerify false

If neither of the two options work, consider removing and reinstalling Git .


how to fix SSL Error: unable to get local issuer certificate

Disable SSL (Not advisable)

$ch = curl_init(); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);

Disabling SSL certificate verification is a possible approach, but it should only be used for experimental purposes and never in a production environment. By disabling certificate verification, your program will bypass the standard SSL authentication process, which can potentially lead to security vulnerabilities and expose your system to potential threats. It is crucial to use this method with extreme caution and only for testing purposes, while ensuring that proper SSL certificate verification is enabled in a production setting to maintain a secure and trustworthy communication channel between the server and the client.

Conclusion

The SSL error "unable to get local issuer certificate" occurs when the server's certificate chain is not properly configured, and the client cannot verify the authenticity of the certificate. This error can be resolved by ensuring that the server's SSL certificate is purchased from a trusted Certificate Authority (CA) and properly installed, while also making sure the server's configuration includes the complete certificate chain to establish a secure SSL connection.