SSL: certificate verify failed (unable to get local issuer certificate)
SSL: certificate verify failed (unable to get local issuer certificate)
DodaTech
2 min read
The error “SSL: certificate verify failed (unable to get local issuer certificate)” means the SSL/TLS client could not find the intermediate or root CA certificate needed to validate the server’s certificate chain.
What It Means
When a client (curl, wget, a browser, or an application) connects to an HTTPS server, the server presents its certificate chain. The client must verify each certificate up to a trusted root CA. If any intermediate certificate is missing from the client’s trust store, verification fails.
Why It Happens
- The system’s CA certificate bundle is missing or outdated.
- The server did not send the full certificate chain (missing intermediate certificates).
- The
SSL_CERT_FILEorREQUESTS_CA_BUNDLEenvironment variable points to an invalid path. - The application uses a custom CA store that does not include the required root.
- The certificate was issued by an internal CA whose root is not installed on the client.
How to Fix It
1. Update the system CA bundle
Debian / Ubuntu:
sudo apt update && sudo apt install ca-certificates -y
sudo update-ca-certificatesCentOS / RHEL / Fedora:
sudo yum install ca-certificates -y
sudo update-ca-trust force-enable2. Download the missing CA certificate manually
curl --remote-name https://curl.se/ca/cacert.pem
sudo cp cacert.pem /usr/local/share/ca-certificates/
sudo update-ca-certificates3. Set the CA bundle path for curl
export CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt4. Disable verification temporarily (testing only)
curl -k https://example.com5. Verify the certificate chain
openssl s_client -connect example.com:443 -showcertsFAQ
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro