Fixing “unable to get local issuer certificate” Error in Apache SSL Configuration with StartCom Class 2 Certificates


2 views

When your system suddenly throws the "unable to get local issuer certificate" error (OpenSSL verify code 20), it typically indicates a certificate chain validation issue. In this case, we're dealing with a StartCom Class 2 certificate chain that's failing validation on the client side.

// Example error output from OpenSSL
verify error:num=20:unable to get local issuer certificate
verify return:0

The error occurs because the intermediate CA certificate (StartCom Class 2 Primary Intermediate Server CA) isn't properly recognized by the client's trust store. While your Apache configuration includes the chain file, clients might not have the necessary root certificates.

// Certificate chain shown in the error
Certificate chain
 0 s:/description=.../CN=*.mydomain.ch
   i:/C=IL/O=StartCom Ltd./CN=StartCom Class 2 Primary Intermediate Server CA
 1 s:/C=IL/O=StartCom Ltd./CN=StartCom Class 2 Primary Intermediate Server CA
   i:/C=IL/O=StartCom Ltd./CN=StartCom Certification Authority

First, verify your certificate chain is properly configured in Apache:

# Check if all certificate files exist
ls -l /etc/ssl/custom/wildcardmydomain.ch.*

# Verify certificate chain
openssl verify -CAfile /etc/ssl/custom/wildcardmydomain.ch.chain.crt \
               /etc/ssl/custom/wildcardmydomain.ch.crt

On Debian/Ubuntu systems, update your CA certificates package:

sudo apt-get update
sudo apt-get install --reinstall ca-certificates
sudo update-ca-certificates

Ensure your chain file contains both intermediate and root certificates in the correct order:

# Create a proper chain file
cat StartCom_Class_2_Intermediate.crt StartCom_Root_CA.crt > wildcardmydomain.ch.chain.crt

# Then update Apache configuration
SSLCertificateFile /etc/ssl/custom/wildcardmydomain.ch.crt
SSLCertificateKeyFile /etc/ssl/custom/wildcardmydomain.ch.key
SSLCertificateChainFile /etc/ssl/custom/wildcardmydomain.ch.chain.crt

For newer Apache versions, use SSLCertificateFile with bundled certificates:

# Combine certificate and chain
cat wildcardmydomain.ch.crt wildcardmydomain.ch.chain.crt > combined.crt

# Apache configuration
SSLCertificateFile /etc/ssl/custom/combined.crt
SSLCertificateKeyFile /etc/ssl/custom/wildcardmydomain.ch.key

After implementing changes, test with OpenSSL:

openssl s_client -connect seafile.mydomain.ch:443 -showcerts -CApath /etc/ssl/certs/

The verification should now return code 0 (ok) instead of 20. If problems persist, consider downloading the latest StartCom root certificates directly from their repository.

wget https://www.startssl.com/certs/ca.pem
wget https://www.startssl.com/certs/class2/sha2/pem/sub.class2.server.sha2.ca.pem
sudo cp ca.pem sub.class2.server.sha2.ca.pem /usr/local/share/ca-certificates/
sudo update-ca-certificates

When working with Apache SSL configurations, you might encounter the frustrating "unable to get local issuer certificate" error. This typically occurs when OpenSSL can't verify the complete certificate chain back to a trusted root certificate.


# Example error output:
$ echo | openssl s_client -connect example.com:443
verify error:num=20:unable to get local issuer certificate
verify return:0

The error suggests that while your server presents the intermediate certificate, the client can't find the root certificate in its trust store. This commonly happens with certificates from providers like StartCom (as in your case), where the root CA isn't included in standard distributions.

Here's how your Apache configuration should look when properly handling certificate chains:


<VirtualHost *:443>
    ServerName seafile.example.com
    SSLEngine on
    
    # Primary certificate
    SSLCertificateFile /etc/ssl/custom/wildcard.example.com.crt
    
    # Private key
    SSLCertificateKeyFile /etc/ssl/custom/wildcard.example.com.key
    
    # Combined intermediate and root certificates
    SSLCertificateChainFile /etc/ssl/custom/wildcard.example.com.chain.crt
    
    # Additional security settings
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite HIGH:!aNULL:!MD5
</VirtualHost>

For StartCom certificates, you need to create a chain file that includes both intermediate and root certificates:


# Create the chain file
cat StartCom_Class_2_Intermediate.crt StartCom_Root_CA.crt > wildcard.example.com.chain.crt

Use these OpenSSL commands to test your setup:


# Basic connection test
openssl s_client -connect seafile.example.com:443 -showcerts

# Verify certificate chain
openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt your_domain.crt

Ensure your system has updated CA certificates:


sudo apt-get update
sudo apt-get install --reinstall ca-certificates
sudo update-ca-certificates

If you can't modify client trust stores, configure Apache to always send intermediates:


SSLCertificateChainFile /path/to/intermediate.crt
SSLCACertificateFile /path/to/root.crt

When troubleshooting, check:

  • File permissions on certificate files
  • Certificate expiration dates
  • Time synchronization on your server
  • Browser-specific trust stores