The SSL certificate problem: unable to get local issuer certificate error is one of the most common (and confusing) SSL-related issues faced by developers, system administrators, and DevOps teams. It often appears suddenly during API calls, server-to-server communication, application deployments, or while using tools like curl, Composer, or package managers.
This knowledge base article explains what the error actually means, why it happens, and how to fix it across different environments such as Ubuntu and Laravel. We’ll also cover long-term prevention strategies using best practices, enterprise-grade SSL security services, and modern infrastructure components like a secure CDN, SSL offloading, and edge security solutions.
What is the SSL certificate problem: Unable to Get Local Issuer Certificate error?
At its core, the error means that your system cannot verify the SSL certificate presented by a server because it cannot find a trusted Certificate Authority (CA) in its local trust store.
When an SSL/TLS connection is established, the following steps occur:
- The server presents its SSL certificate.
- The client checks whether that certificate was issued by a trusted CA.
- The client validates the full certificate chain (server certificate → intermediate certificate → root CA).
- If any part of the chain is missing or untrusted, the connection fails.
The SSL certificate problem: unable to get local issuer certificate error indicates that the client system cannot validate the issuing authority, even if the certificate itself appears valid.
This error commonly appears in messages such as:
curl: (60) SSL certificate problem: unable to get local issuer certificate
SSL: certificate verify failed (unable to get local issuer certificate)
Composer, npm, or Git SSL verification failures
Common causes of the “Unable to Get Local Issuer Certificate” error
Understanding the root cause makes fixing this issue much easier. Below are the most frequent reasons this error occurs in production and development environments.
1. Missing or outdated CA certificates
Most operating systems rely on a local bundle of trusted CA certificates. If this bundle is outdated or incomplete, SSL verification will fail—especially for newer certificate authorities.
2. Incomplete certificate chain on the server
A server may present only the leaf certificate and omit intermediate certificates. This misconfiguration is one of the most common causes of SSL issuer errors and is frequently seen after certificate renewals.
3. Self-signed certificates
Self-signed certificates are not trusted by default. Unless explicitly added to the local trust store, they will trigger issuer errors in browsers, APIs, and command-line tools.
4. Corporate proxies or SSL inspection
Some enterprise firewalls perform SSL inspection by reissuing certificates using an internal CA. If that CA is not trusted locally, SSL validation fails.
5. CDN, reverse proxy, or load balancer issues
A misconfigured secure CDN, reverse proxy, or load balancer performing SSL offloading may serve the wrong certificate or an incomplete chain, causing issuer validation errors.
6. Minimal OS images and containers
Docker containers, CI/CD runners, and lightweight Linux distributions often lack CA certificates by default, leading to the well-known curl SSL certificate problem, unable to get local issuer certificate.
SSL certificate problem: Unable to Get Local Issuer Certificate on Ubuntu
Ubuntu-based systems frequently encounter this issue due to missing or outdated CA certificate bundles.
Why it happens on Ubuntu
- The ca-certificates package is not installed by default in some environments
- Older Ubuntu versions may not trust newer certificate authorities
- Custom OpenSSL paths override system defaults
How to fix it on Ubuntu
Step 1: Update package lists
sudo apt update
Step 2: Install or reinstall CA certificates
sudo apt install --reinstall ca-certificates
Step 3: Update the CA trust store
sudo update-ca-certificates
Step 4: Test using curl
curl https://example.com
If the error persists, verify OpenSSL’s certificate directory:
openssl version -d
Ensuring Ubuntu systems are properly maintained is critical for environments that rely on automated monitoring, CI pipelines, or backend services protected by SSL security services.
SSL certificate problem: Unable to Get Local Issuer Certificate in Laravel
Laravel applications commonly encounter this issue when making outbound HTTPS requests via Guzzle, cURL, or Composer.
Common Laravel use cases
- API calls to payment gateways or third-party services
- Composer dependency installation failures
- Webhooks and background jobs timing out
Fixing the issue in Laravel
1. Verify system-level CA certificates
Laravel relies on the underlying OS for SSL verification. Fixing the operating system’s CA store often resolves Laravel SSL errors immediately.
2. Specify a CA bundle explicitly (temporary workaround)
'verify' => '/etc/ssl/certs/ca-certificates.crt',
This approach is helpful in controlled environments but should not replace proper certificate management.
3. Avoid disabling SSL verification
Disabling SSL verification may bypass the error but undermines security—especially in setups protected by an advanced web application firewall or handling sensitive data.
How to Fix the “Unable to Get Local Issuer Certificate” Error
The appropriate fix depends on where the trust chain breaks. Below are proven solutions used in real-world deployments.
Fix 1: Update local CA certificates
This resolves most cases across Linux, macOS, and containerized environments.
Fix 2: Install the full certificate chain on the server
Ensure the server provides:
- Leaf certificate
- Intermediate certificates
- (Optional) Root CA
Most certificate authorities provide a full-chain bundle for this purpose.
Fix 3: Review CDN and SSL offloading configuration
When using SSL offloading, verify that:
- The client-facing certificate is complete
- Backend services trust the edge layer
- SSL Full Control settings are not overriding certificate chains incorrectly
Fix 4: Trust internal or private CAs
For internal services or microservices:
- Add the private CA to the system trust store
- Avoid relying on self-signed certificates in production
Fix 5: Harden container and CI environments
Always install CA certificates in Docker images and CI runners to prevent the curl SSL certificate problem, unable to get local issuer certificate during builds and deployments.
How to prevent the “Unable to Get Local Issuer Certificate” Error
Preventing SSL issuer errors requires a combination of correct configuration, automation, and proactive monitoring.
1. Use trusted certificate authorities
Certificates issued by globally trusted CAs reduce compatibility issues across clients, browsers, and operating systems.
2. Centralize certificate management
Platforms offering SSL Full Control simplify certificate lifecycle management and reduce the risk of misconfiguration.
3. Deploy a secure CDN with edge validation
A secure CDN with built-in certificate validation and edge security solutions can detect broken chains before they impact users.
Ensure SSL offloading is consistently implemented across load balancers, CDNs, and origin servers.
5. Monitor SSL health continuously
Combine certificate monitoring with an advanced web application firewall to detect SSL anomalies, expired certificates, and trust chain issues early.
FAQ
1. Can a misconfigured CDN cause SSL issuer errors?
Yes. A misconfigured CDN can serve an incomplete or incorrect certificate chain, especially when SSL Full Control or edge-level certificates are enabled without proper validation.
2. Is this error related to self-signed certificates?
Yes. Self-signed certificates are a common cause of issuer errors unless the signing certificate is manually trusted.
3. Will updating CA certificates on Ubuntu fix this error?
In most cases, yes. Updating CA certificates resolves the majority of Ubuntu-based SSL issuer issues.
4. Can this SSL error affect website availability or monitoring?
Yes. This error can disrupt API communication, uptime monitoring, CI/CD pipelines, and third-party integrations, even if the website itself appears online.