Stumbling across the
“unable to get local issuer certificate” error can be more than a mild nuisance—it can stop development in its tracks or create headaches for IT teams. As someone who’s managed countless SSL setups for production environments, I know firsthand how confusing this error appears, especially for those looking for a clear path to resolution. So, what do you do when this SSL problem rears its head? This guide unpacks the roots of the issue, provides tested solutions, and helps you prevent it in the future—with a focus on building confidence, clarity, and best practices so you can move forward, headache-free.
This article draws on years of systems administration experience and careful research to equip you with an actionable, trustworthy walkthrough—whether you’re using Git, cURL, Node.js, or configuring web servers. Bookmark this guide: it is designed to answer not just “why?” but also, crucially, “how do I fix it for good?”
What Is the “Unable to Get Local Issuer Certificate” Error?
When your application or tool shows
“unable to get local issuer certificate”, it’s signaling a trust problem in the SSL certificate chain. SSL certificates rely on a verified chain between your certificate, intermediates, and a root certificate authority (CA). Much like needing official stamps in a passport, a valid SSL chain needs every certificate in place and trusted. If the chain is incomplete or contains an untrusted certificate, your operating system or client software stops the connection, typically with terse messages such as:
- SSL certificate problem: unable to get local issuer certificate
- Error code 0x14090086 (in cURL/OpenSSL)
- Failed to verify certificate chain (in Git, VS Code, etc.)
Not fixing the error leaves your connections insecure—potentially vulnerable—and frequently results in failed HTTPS requests, affecting the security and reliability of your projects.
Main Causes: Why Does This Happen?
Understanding the root causes of the
unable to get local issuer certificate error is key. Here’s what I’ve seen most often in server environments and development workflows:
- Missing Intermediate or Root Certificates
Servers sometimes fail to supply the complete certificate chain—usually they’re missing an intermediate certificate. If the browser or client can’t trace the certificate all the way back to a trusted root, you’ll get this error.
Example:
Running
curl -v https://yoursite.com might return:
SSL certificate problem: unable to get local issuer certificate
- Outdated CA Certificate Stores
Locally, outdated root CA lists—especially on older Linux systems or outdated Python/Node.js installations—prevent proper validation. Even if the server is set up correctly, this can break client connections.
- Misconfigured Certificate Chains on Servers
Incorrect SSL configurations on Apache or Nginx—such as wrongly set
SSLCertificateFile, missing fullchain.pem, or an incomplete chain.pem—surface this issue consistently.
- Untrusted or Self-Signed Certificates
If your certificate was issued by a company-internal CA or is self-signed, your users (and automated tools) won’t recognize it unless it’s explicitly added as a trusted CA.
- Expired or Revoked Certificates
The internet saw this in 2021 when Let’s Encrypt’s DST Root CA X3 expired—suddenly, many systems were unable to verify even correctly configured certificates because their CA stores were out of date.
Step-by-Step Solutions
Ready to solve the “unable to get local issuer certificate” error? Here are field-tested fixes, organized by platform:
1. Git: SSL Certificate Problem Fix
- Update the CA Certificate Bundle
On Linux, run:
sudo apt update
sudo apt install --only-upgrade ca-certificates
On Windows, reinstall Git and select the option to use the latest OpenSSL library.
- Manually Add a Certificate to Git’s Trusted Store (if needed)
cat certificate.pem >> /etc/git/ssl/certs/ca-bundle.crt
Be cautious—this may create security risks if not done thoughtfully.
- Temporary Workaround (Not Recommended for Production)
You can bypass verification (use only for isolated debugging):
git config --global http.sslVerify false
Warning: Disabling SSL verification exposes you to security threats.
2. cURL: Certificate Validation Troubleshooting
- Point to a Specific CA Certificate:
curl --cacert /path/to/cert.pem https://example.com
- Update System CA Certificates:
sudo update-ca-certificates
- Test with OpenSSL for Deeper Diagnostics:
openssl s_client -connect yourdomain.com:443 -showcerts
3. Node.js: Handling Certificate Chain Issues
4. Web Servers: Nginx and Apache Configurations
- Nginx Example:
ssl_certificate /etc/letsencrypt/live/yourdomain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain/privkey.pem;
- Apache Example:
SSLCertificateFile "/etc/letsencrypt/live/yourdomain/fullchain.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/yourdomain/privkey.pem"
- After Changing Configs:
systemctl restart nginx
or
systemctl restart apache2
5. Other Platforms
How to Prevent “Unable to Get Local Issuer Certificate” Errors
Experience has taught me the importance of prevention—it’s almost always easier than troubleshooting under pressure. Here’s how industry professionals safeguard against SSL chain headaches:
- Automate CA Certificate Updates:
Schedule regular updates of your CA certificate store (for Linux, run
sudo update-ca-certificates -f in a cron job).
- Use Automations Like Certbot:
For public services, Certbot helps ensure your Let’s Encrypt certificates and chains are always current—set and forget.
- Validate Your Configuration:
Test your SSL setup using Qualys SSL Labs or similar free web validation tools.
- Automate Certificate Renewal:
CI/CD pipelines can include steps to renew and validate certificates before deployments.
- Monitor with Transparency Logs:
Many modern teams monitor certificate issuance and expiration with tools that track public Certificate Transparency logs.
- Educate & Document:
Train your team and document the precise SSL configuration steps for your platform. A little institutional memory goes a long way.
Frequently Asked Questions
Navigating the “unable to get local issuer certificate” problem can surface new questions. Here are the ones I hear most, answered from experience.
- What is an SSL certificate chain?
A series of certificates, from your server up to a trusted root, validating authenticity at each step.
- Is it safe to turn off SSL verification?
Never in production. It should be used only for short-term testing—and only if you fully understand the risks.
- How do I spot missing intermediate certificates?
OpenSSL command-line tools or browser developer tools will usually indicate what’s missing in the chain.
- Are problems always on the server?
Not always. Client machines with outdated CA lists or custom environments can cause just as much trouble.
- How do I trust a self-signed certificate?
Manually add it to your local or global certificate trust store. This process varies by operating system.
Wrapping Up: Build Resilience – Not Just a Fix
No matter how frustrating, the “unable to get local issuer certificate” error is simply your system protecting you. As an engineer or administrator, treating these stumbles as a chance to refine your SSL knowledge will pay off again and again. By tackling the root cause and automating defense strategies, you not only fix the present issue—you future-proof your workflow.
Ready to level up your SSL management? Start implementing these fixes today—and if you found this guide helpful, be sure to bookmark it or share with a colleague who’s banging their head against certificate problems!
