Fixing SSL Certificate Problem: Unable to get Local Issuer Certificate

A brief guide to fix SSL Certificate Problem: Unable to get Local Issuer Certificate

When you try to run a cURL request for an HTTPS connection, you may have received an “SSL Certificate Problem: Unable to get Local Issuer Certificate” error.

You either change or verify the cURL request, but you still face such an error. So, let us understand about this SSL error in this short piece of information.

What is the SSL Certificate Problem: Unable to get Local Issuer Certificate Error?

The SSL Certificate Problem: Unable to get Local Issuer Certificate error generally occurs when a root certificate is not properly configured. A user sends an HTTPS request and at that time, an SSL certificate is shared to verify the identity. In case, the root certificate is not configured properly, it can cause Unable to get Local Issuer Certificate error.

What causes Unable to get Local Issuer Certificate?

There are specific causes behind Unable to get Local Issuer Certificate error and will discuss solutions to this error.

The cause of such error ‘Unable to get a Local Issuer Certificate’ is misconfiguration of root and intermediate certificates during SSL communication between the client and the server.

The root certificate is not working correctly at the time when you send a request to the HTTPS source. Here, you have to share your SSL certificate for identity verification.

Moreover, the use of a Self-Signed SSL certificate is another cause of Unable to get a Local Issuer Certificate error. The browser and OS throw an error while encountering such a certificate, as they cannot recognize it. Self-Signed certificate is used for internal servers or testing environments.

How to fix SSL Certificate Problem: Unable to get Local Issuer Certificate

There are two solutions like for .PEM file format, and.CRT file format. We will first see a solution related to this .PEM file format.

Solution Related to .PEM Format

Modify php.ini (Maintain SSL)

Php.ini file is a configuration file that runs when you run PHP script. Php.ini file can be located within the directory of PHP installation in the system drive. Here, Php.ini file can be located in control panel and to edit php.ini file, you need to follow below precise process.

  • First, you need to download cacert.pem that can be downloaded from https://curl.haxx.se/ca/cacert.pem.
  • Then copy cacert.pem into your version of zend/openssl.
  • Now, Open the php.ini file and modify the CURL configuration by adding “cainfo = ‘/usr/local/openssl-0.9.8/certs/cacert.pem”
  • At last, restart PHP and check if the cURL can read the HTTPS URL.

Do Not Change php.ini (Maintain SSL)

We have seen one of the useful methods by changing php.ini file now; you can fix Unable to get local Issuer certificate by keeping php.ini unrevised. You can use the below code while maintaining SSL.

$ch = curl_init();

$certificate_location = ‘/usr/local/openssl-0.9.8/certs/cacert.pem’;

curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, $certificate_location);

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, $certificate_location);

Disable SSL

Another troubleshooting solution to try out is disabling the certificate and enabling it again. However, whereas this might solve the problem, it is not recommended.

Disabling SSL certificate verification bypasses security measures, leaving connections vulnerable to interception. It exposes users to significant security risks, including man-in-the-middle attacks and data breaches. You should enter the code below to disable SSL.

$ch = curl_init();

curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);

All the above three solutions can fix the SSL Certificate Problem: Unable to get Local Issuer Certificate error for .PEM file format. Now, let us see a solution related to this.CRT file format.

Solution Related to .CRT File Format

Get SSL Bundle

Update the CA bundle, that will help you to get all current root and intermediate certificates for validating SSL connections. This procedure includes obtaining new certificates of certificate authorities from trusted resources. You should get the CA Bundle file and save it on the server. It is advisable to save it on the top of the server. For example, C:/xampp/htdocs/_certs/ca-bundle.crt.

Edit php.ini file

In the XAMPP server, you will find the php.ini file while accessing the config button to be found in the control panel. The Php.ini file may be located differently on different servers. The default location is the /etc directory.

After finding the php.ini file, enter the below lines.

[CA Certs]

curl.cainfo="C:/xampp/htdocs/_certs/ca-bundle.crt"

openssl.cafile="C:/xampp/htdocs/_certs/ca-bundle.crt"

Restart PHP

Different servers have various methods to restart PHP. In the XAMPP server, you need to turn off Apache and then turn it on in the control panel again. For Linux servers, use the service php5-fpm restart” command.

For Git Server: How to Fix SSL Certificate Problem: Unable to get Local Issuer Certificate Error?

Most Git users also face being unable to get local issuer certificate errors and there are certain ways to fix such errors for Git server.

The error sometimes occurs due to self-signed certificates, which are used for internal testing environments. Git server may show an error when facing a self-signed certificate. Self Signed certificates are used for internal services. Corporate companies use such certificates for internal services and face Unable to get Local Issuer Certificate Error.

Solutions to Unable to get Local Issuer Certificate Error for Git Server

Change the php.ini File

Php.ini can be created and edited in the control panel. It can be found in the root directory of a domain name.

php.ini can be edited or modified easily even on shared servers. Here, we will see below steps to edit php.ini file in control panel to solve unable to get local issuer certificate error.

  • First, login to cPanel.
  • You need to browse File Manager>>PHP Software.
  • Now, open the php.ini file.
  • Click on http://curl.haxx.se/ca/cacert.pem.
  • Now, download the cacert.pem file.
  • Copy the cacert.pem file to openssl/zend (like – ‘/usr/local/openssl-0.9.8/certs/cacert.pem’.)
  • Head to php.ini and add “cainfo = ‘/usr/local/openssl-0.9.8/certs/cacert.pem” to CURL.
  • Finally, restart PHP and check whether CURL can read the HTTPS URL or not.

Add SSL Certificate to Trusted Certificate Store

Whenever you encounter the Unable to Get Local Issuer Certificate error while using GIT bash, you can try troubleshooting by incorporating SSL certificate into trusted certificate store. Here is the guide to do that:

  • Copy the Git SSL certificate.
  • Navigate to the trusted certificate store (typically located at C:\Program Files\Git\mingw64\ssl\certs).
  • Open the ca-bundle.crt file within the store.
  • Paste the copied Git SSL certificate at the end of the .crt file.
  • Save the file to ensure the changes take effect.

Reinstall Git & choose SSL Transport Backend Option

Secondly, you can try reinstalling GIT and selecting the SSL transport backend option. Here is the guide to do that:

  • Uninstall Git via the Control Panel.
  • After uninstallation, proceed as follows:
  1. Open a web browser (e.g., Google Chrome).
  2. Enter https://git-scm.com/download/win in the URL bar and press Enter.
  3. Download the suitable Git version for your system.
  4. During installation, ensure to select the SSL Transport Backend option for proper configuration.

Allow Repository Access to SSL Certificates or Reassign Path in VS Code

If this error occurred in VSC, you can follow the below process to fix the error.

  • You can reconfigure Git by running the command git config –global http.sslBackend schannel in the terminal.
  • If an error happens due to accessibility then, open the terminal with admin rights and run the git config –system http.sslBackend schannel
  • If an error persists due to location configuration, you can use git config –global http.sslcainfo “Path” command to solve the error.

Deactivate SSL certificate

Deactivating SSL certificates is not recommendable as cyber culprits can take advantage of it. You can deactivate the SSL certificate with the below path.

SSL can be disabled two types like Git at local level and Git at global level

  • Git at Local Level: you can use the $ git -c http.sslVerify=false clone [URL]
  • Git at Global Level: you can use the $ git config –global http.sslVerify false
  • To re-enable SSL certificate, use the $ git config –global http.sslVerify true

Conclusion

The above solutions for browsers based and Git server based would work to fix ‘SSL certificate problem: unable to get local issuer certificate’ error. Instead of uninstalling an SSL certificate, you can use any of the above or all solutions to fix this error as your website needs protection against cyber threats.

Related Articles:

About the Author

Meet Solanki

Meet Solanki, an IT maestro with 8+ years of hands-on expertise in the realms of network and server administration. Armed with a Bachelor's degree in Computer Science, Meet takes pride in being more than a tech enthusiast - he ensures that the systems run seamlessly and maintain the highest standards of security. His technical acumen is a testament to his commitment to optimizing system performance and ensuring robust security protocols.

Trusted by Millions

SSL2BUY delivers highly trusted security products from globally reputed top 5 Certificate Authorities. The digital certificates available in our store are trusted by millions – eCommerce, Enterprise, Government, Inc. 500, and more.
PayPal
Verizon
2Checkout
Lenovo
Forbes
Walmart
Dribbble
cPanel
Toyota
Pearson
The Guardian
SpaceX