Press "Enter" to skip to content

[Techy] Getting cURL to work with Let’s Encrypt: unable to get local issuer certificate error

Last updated on June 2, 2016

On my test Debian jessie 8.2 and a staging server Ubuntu trusty 14.04, I had problems being able to use cURL to fetch data from a remote HTTPs site which was secured using a free Let’s Encrypt certificate (this problem manifested itself via both PHP 7 cURL functions and curl directly).

An example of the error is:

curl --verbose https://helloworld.letsencrypt.org/
...
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

To fix this, I found the following steps worked:
sudo apt-get install --reinstall ca-certificates
to ensure you have the latest certificates by your distribution – this might help you, but it didn’t assist me 🙁

So I downloaded the Let’s Encrypt root certificates and forced a rebuild of the certificate store:

sudo curl https://letsencrypt.org/certs/isrgrootx1.pem.txt -o /usr/local/share/ca-certificates/isrgrootx1.crt
sudo curl https://letsencrypt.org/certs/letsencryptauthorityx1.pem.txt -o /usr/local/share/ca-certificates/letsencryptauthorityx1.crt
sudo curl https://letsencrypt.org/certs/letsencryptauthorityx2.pem.txt -o /usr/local/share/ca-certificates/letsencryptauthorityx2.crt
sudo curl https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem.txt -o /usr/local/share/ca-certificates/letsencryptx1.crt
sudo curl https://letsencrypt.org/certs/lets-encrypt-x2-cross-signed.pem.txt -o /usr/local/share/ca-certificates/letsencryptx2.crt
sudo curl https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt -o /usr/local/share/ca-certificates/letsencryptx3.crt
sudo curl https://letsencrypt.org/certs/lets-encrypt-x4-cross-signed.pem.txt -o /usr/local/share/ca-certificates/letsencryptx4.crt
sudo dpkg-reconfigure ca-certificates

and everything worked!

If you are running Java, you may need to also add the certificates to the Java Keytool:
keytool -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -noprompt -importcert -file /usr/local/share/ca-certificates/isrgrootx1.crt
keytool -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -noprompt -importcert -file /usr/local/share/ca-certificates/letsencryptauthorityx1.crt

(change the storepass password [default of “changeme”] to whatever is relevant to you)

6 Comments

  1. Two years later and the only tip that worked! Thank you so much!

  2. psyray psyray

    4 years later, always working, thanks 😉

  3. Thank you, thank you, this did the trick. (Late 2020, and the solution was valid for both my 16.04 and 18.04 Ubuntu rigs.)

  4. .Tom .Tom

    This post is misleading in a couple of ways.

    1. The problem is not with LE certs, it is with web servers that are not properly configured to send intermediate CA certs together with the server cert.

    This can happen with any server cert since roots no longer issue end-entity certs. It just became more common for us to encounter this server config problem with LE since they are issuing so many certs now.

    2. It’s inaccurate where it says “So I downloaded the Let’s Encrypt root certificates”. These aren’t root certs, they are intermediate CA certs.

    So by following the instructions here you’re adding an issuer’s cross-signed intermediate CA certs into your root trust store. That subverts LE’s role in PKI.

    • Hi Tom,

      Sorry for the nearly 2 year wait to approve your comment – I’ve been away from blogging for that long. Basically, our scenario was that we needed to be able to access sites which did not have the certificates setup correctly.

      Yes, you are correct that they are the intermediate certificates and not actually the “root root” ones, but they are/were the “root ones for Let’s Encrypt”: which, when you had a “spun up for this site only” VM-based web service which just wanted to access one site without actually caring about security (but needing to be able to pull the certificate, inspect them and inspect the site contents), it worked for our needs.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.