X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY Error

Note

Current version of Web Safety allows you to fix this error automatically. You just need to navigate to Admin UI / Squid / HTTPS tab and set the [X] Try to automatically download missing intermediate HTTPS certificates checkbox. Consider reading the article anyway - just to understand why this error occurs in the first place.

If you have implemented HTTPS filtering using HTTPS decryption and SSL bumped using Squid proxy, you have surely seen the X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY error.

The main reason for this error is very simple – one (or some) certificates presented by the remote HTTPS site are not present in the certificate store of Squid proxy server. Because of that Squid cannot generate mimicked SSL certificate required to perform HTTPS filtering.

For example, consider incomplete-chain.badssl.com. If you access it directly, you will not see any errors. If you do the same through HTTPS filtering proxy the following error page will be appear in the browser.

If you take a closer look at the error page then it becomes clear that the following certificate authority is missing:

COMODO RSA Domain Validation Secure Server CA

It is missing because the administrator of the site incomplete-chain.badssl.com has configured the web server incorrectly - according to current web standards the server must present all chain of certificates up to (but not including) the root certificate. In this case only the site certificate is presented by the web server and other certificates in the chain are left away.

To prove that we can go to online SSL Server Site Check tool. Type the incomplete-chain.badssl.com into the search field and click Submit. The tool will respond with results showing Incomplete Chain error as indicated on the following screenshot.

Scroll the result page down and see what intermediate certificate is missing from the chain.

Note

This page explains more about what intermediate certificates are.

To fix this X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY error we must manually download the missing certificate and install it into the system.

Which Certificate to Download?

To find out which missing certificate to download, expand the incomplete chain button from SSL Labs result page, and manually take only the missing certificate from the output. Save its contents as a missing.pem file.

Now we need to add it to the proxy system. There are two possible ways to do it.

Add Missing Certificate to Squid (Recommended)

Web Safety has the ability to add the missing certificates to the Squid intermediate certificate storage. Navigate to Admin UI / Squid / HTTPS / Missing Certificates and upload the PEM file for the certificate as indicated on the following screenshots.

Click Save and Restart to load the storage into Squid. After that access to incomplete-chain.badssl.com will be successful.

Install Missing Certificate into System Certificate Storage

It is also possible to add this certificate to operating system's certificate storage. This method is generally not recommended because adding an intermediate certificate to the root certificate storage makes is "globally trusted" and this usually too much for the purposes of HTTPS filtering.

• Open root terminal and copy the certificate into /usr/local/share/ca-certificates/crt. Please note, the file extension needs to be crt!
• Run sudo update-ca-certificates command to rebuild the system certificate store.
• Restart Squid by running systemctl restart squid.

Note

To remove this manually installed intermediate certificate from the certificate bundle, remove this certificate from /usr/local/share/ca-certificates, run sudo update-ca-certificates and finally remove all dangling links to non existing certificate in /etc/ssl/certs folder.