View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions curl: (60) SSL certificate problem: unable to get local issuer certificate
Log in to Ask a Question

curl: (60) SSL certificate problem: unable to get local issuer certificate

I have an Ubuntu 18 server. I have a domain name registered with LetsEncrypt. When I try to CURL my own server from my own server, I get the following error. I have verified that this domain name is not in /etc/hosts.

Do I need to update some Ubuntu18 certs? Thanks for any information.

(P.S. - this is because a Wordpress installation on this server is POSTing back to itself).

$ curl -v https://mclarenlabs.com/
*   Trying 45.79.72.165...
* TCP_NODELAY set
* Connected to mclarenlabs.com (45.79.72.165) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* stopped the pause stream!
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

2 Replies

Most likely a server config error.

The server's SSL certificate needs to be set as fullchain.pem and not cert.pem

The former contains the necessary intermediate certificates to chain the leaf cert to a well-known anchor. The latter, only the leaf cert which may not validate.

[SOLVED] Thanks, that helped. Here's what it was.

First - i determined that something was wrong with my server by trying the Curl command on another Ubuntu instance. It got the same error.

I was indeed missing the 'full chain.' I had been using a very old version of acme_tiny.py for obtaining a cert from LetsEncrypt. (My version was from 2017). Newer versions automatically include the intermediate in the returned cert.

I got the new version of acme_tiny.py, ran it to obtain the new cert, restarted the server, and all is well.

Thanks for the pointer.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct