How to Fix “OCSP Validation: Unable to Get Local Issuer Certificate” Error in Nginx


3 views

When dealing with OCSP stapling in Nginx, one common error developers encounter is the certificate chain verification failure. The key error message:

OCSP_basic_verify() failed (SSL: error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:Verify error:unable to get local issuer certificate)

This indicates your server cannot properly verify the certificate chain back to a trusted root certificate.

For RapidSSL certificates (now part of DigiCert), the proper chain should be:

1. Your Domain Certificate (mydomain.crt)
2. Intermediate CA (RapidSSL SHA256 CA - G3)
3. Root CA (GeoTrust Global CA)

The verification fails because Nginx cannot automatically locate the root certificate during OCSP validation.

Here's the proper Nginx configuration fix:

server {
    listen 443 ssl;
    server_name mydomain.tld;

    # Certificate configuration
    ssl_certificate /etc/ssl/certs/ssl-unified.crt;  # Contains domain + intermediate
    ssl_certificate_key /etc/ssl/private/ssl.key;
    
    # OCSP Stapling configuration
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/ssl/certs/ca-root.pem;  # Only the root CA
    
    # Verify chain with OpenSSL (test command)
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    
    # Security enhancements
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 24h;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    # [Additional cipher suite configuration...]
}

1. Create the unified certificate file:

cat mydomain.crt intermediate.crt > ssl-unified.crt

2. Download and place the root certificate:

wget https://www.geotrust.com/resources/root_certificates/certificates/GeoTrust_Global_CA.pem
mv GeoTrust_Global_CA.pem /etc/ssl/certs/ca-root.pem

3. Verify the configuration:

openssl s_client -connect mydomain.tld:443 -status -CAfile /etc/ssl/certs/ca-root.pem

If issues persist, check:

  1. Certificate file permissions (should be readable by Nginx)
  2. Proper CRLF/LF line endings in certificate files
  3. No trailing spaces in certificate files
  4. Correct MIME types (should be PEM format)

When implementing OCSP stapling:

  • Monitor stapling response times with: openssl s_client -connect mysite:443 -status 2>&1 | grep -A 17 'OCSP response'
  • Consider adding a cron job to periodically refresh OCSP responses
  • Test with various SSL labs tools (SSL Labs, CryptCheck)

When implementing OCSP stapling with RapidSSL certificates on Nginx, many administrators encounter the frustrating "unable to get local issuer certificate" error. This occurs because the certificate chain isn't properly established in the server configuration.

The error message indicates that Nginx cannot verify the complete certificate chain during OCSP validation. While basic HTTPS connections work (as shown by your openssl test without -CAfile), the OCSP stapling verification fails because:

1. The GeoTrust root certificate isn't in the system's default trust store
2. The intermediate certificates aren't properly chained in your configuration
3. Nginx needs explicit trust configuration for OCSP validation

For RapidSSL certificates (now part of DigiCert), you need to assemble the certificate chain correctly. Here's the proper order:

# Concatenate certificates in this exact order
cat myserver.crt RapidSSL_SHA256_CA-G3.crt GeoTrust_Global_CA.crt > fullchain.crt

The complete nginx configuration should look like:

server {
    listen 443 ssl;
    server_name mydomain.tld;
    
    ssl_certificate /etc/ssl/certs/fullchain.crt;
    ssl_certificate_key /etc/ssl/private/ssl.key;
    
    # OCSP Stapling Configuration
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/ssl/certs/GeoTrust_Global_CA.pem;
    
    # For certificate chain verification
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    
    # Modern SSL configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256...';
}

After implementing these changes, verify your setup:

# Check OCSP response
openssl s_client -connect mydomain.tld:443 -status < /dev/null 2>&1 | grep -A 17 'OCSP response'

# Full chain verification
openssl verify -CAfile /etc/ssl/certs/GeoTrust_Global_CA.pem -untrusted RapidSSL_SHA256_CA-G3.crt myserver.crt

If you're still experiencing issues:

  • Ensure your system clock is synchronized (OCSP responses are time-sensitive)
  • Check for firewall blocks on OCSP responder URLs (gv.symcd.com)
  • Consider using Let's Encrypt's certbot which automatically handles chain configuration