Fixing “Unable to get local issuer certificate” issue.

Have you ever set up a Let’s Encrypt SSL certificate for your nginx web server and tested that your API is working, but then later found out that your API does not work for your integrating 3rd party clients? You may be experiencing the “Unable to get local issuer certificate” issue.

But how do you figure out if you are having the same issue? How do you fix it? Here’s how.

Testing for “Unable to get local issuer certificate” issue

To test for this issue, you will need to set up openssl. If you are using MacOS, here’s a quick way to install openssl.

Once you have it installed, simply run:

openssl s_client -connect your-host:443
# example: openssl s_client -connect

This will test your SSL setup for validity, as well as surface potential issues. Here’s a screenshot of what the output might look like:

If you are having an issue, you would get something similar to the results below:

Fixing the Issue

When you generated your Let’s Encrypt Certificate, you were provided with three (3) files:

  1. CA Bundle – your_ca_bundle.crt file
  2. Private Key – your_private.key file
  3. Chain File – your_certificate_chain.pem file

Working with nginx webserver, you’ll notice that you have only two properties to place your SSL certificate and key. There’s no property for the chain file, unlike Apache who has a property SSLCertificateChainFile.

# Example nginx config file
server {
    listen 443 default_server;
    ssl on;
    ssl_certificate /jet/etc/nginx/conf.d/your_ca_bundle.crt;
    ssl_certificate_key /jet/etc/nginx/conf.d/your_private.key;
    # ... more properties below

What you need to do is to simply concatenate your CA Bundle and Chain File through:

cat your_ca_bundle.crt your_certificate_chain.pem > bundle.crt

And finally update your nginx config to use the new file:

server {
    # ... omitted for clarity
    ssl_certificate /jet/etc/nginx/conf.d/bundle.crt;
    # ... omitted for clarity

This should fix your “Unable to get local issuer certificate” issue. You can test if this works through openssl.

Hope this helps!