curl: (60) SSL certificate : unable to get local issuer certificate - ubuntu

Question

We run the following software versions:

• Ubuntu 18.04.5
• Apache 2.4.29
• curl 7.58.0

We run an education application, and as part of this we have numerous APIs which upload files to a third party website https://api.turnitinuk.com from our webserver https://nclhe-moodle.ncl-coll.ac.uk.

We renewed our SSL certificate for nclhe-moodle.ncl-coll.ac.uk in December 2020 on the webserver successfully and everything carried on working as we expected it to, but then suddenly in February 2021 we started getting the following error and the upload failed.

curl: (60) SSL certificate : unable to get local issuer certificate

(I dont understand what the local issuer certificate is, is it the client (the webserver) or the server)

Not sure why, it just started in February 2021 when the certificates were renewed in December 2020.

If I bypass the IPS Certificate checking on our proxy server, our API works successfully.

These are what I have tried so far to resolve this issue:

• Ran this command on the webserver:

  curl -vs https://api.turnitinuk.com
  

  Error below:

  * Rebuilt URL to: https://api.turnitinuk.com/
  *   Trying 199.47.86.35...
  * TCP_NODELAY set
  * Connected to api.turnitinuk.com (199.47.86.35) port 443 (#0)
  * ALPN, offering h2
  * ALPN, offering http/1.1
  * successfully set certificate verify locations:
  *   CAfile: /etc/ssl/certs/ca-certificates.crt
    CApath: /etc/ssl/certs
  * TLSv1.3 (OUT), TLS handshake, Client hello (1):
  * TLSv1.3 (IN), TLS handshake, Server hello (2):
  * TLSv1.2 (IN), TLS handshake, Certificate (11):
  * TLSv1.2 (OUT), TLS alert, Server hello (2):
  * SSL certificate problem: unable to get local issuer certificate
  * stopped the pause stream!
  * Closing connection 0
  

• Run the following OpenSSL command to get the certificate chain from the our Moodle instance

  openssl s_client -showcerts -servername nclhe-moodle.ncl-coll.ac.uk -connect nclhe-moodle.ncl-coll.ac.uk:443
  

• Downloaded all 3 certificates in the certificate chain of https://nclhe-moodle.ncl-coll.ac.uk and checked to ensure they were already in the /etc/ssl/certs/ca-certificates.crt file. Sure enough, one of them, the intermediate cert, was not in the ca-certificates.crt file.

• Converted the 1 .cer files to .crt using the following command

  openssl x509 -inform PEM -in QuoVadis_Global_SSL_ICA_G3.cer -out QuoVadis_Global_SSL_ICA_G3.crt
  

• Uploaded the .crt file to /usr/local/share/ca-certificates directory.

• Run the command

  sudo update-ca-certificates
  

• Looking at the /etc/ssl/certs/ca-certificates.crt file then missing certificate is now in the file and the 2 sym-links hves been created in the /etc/ssl/certs directory as follows

  • QuoVadis_Global_SSL_ICA_G3.pem -> /usr/local/share/ca-certificates/QuoVadis_Global_SSL_ICA_G3.crt

  • 35e514f6.0 -> QuoVadis_Global_SSL_ICA_G3.pem

• Stopped and restarted apache

  sudo /etc/init.d/apache2 stop
  sudo /etc/init.d/apache2 start
  

• Retried again but i still have the same error

Another question from me:

In my /etc/ssl/certs file all of the CA's are sym-linked to /usr/share/ca-certificates apart from the CA which i have just applied which is sym-linked to /usr/local/share/ca-certificates. Is this an issue bearing in mind the certificate is part of the /etc/ssl/certs/ca-certificates/crt file?

I am a bit stumped about what else to try and have researched this extensively to try and fix it myself, can anybody help

Many thanks in advance,

Mac

---

The latest update - the issue is not yet resolved. The files are uploaded automatically via an API, so the turnitin application sits within https://nclhe-moodle.ncl-coll.ac.uk , the users login , click a few buttons and the app uploads files via the API to https://api.turnitinuk.com. The only thing that has changed is the SSL cert was renewed successfully in December 2020 but this issue never started until Feb 2021.

Answer 1

From reading your question, the client is the university server and the server is the TurnitinUK server.

The message is telling you that the university server doesn't trust the TurnitinUK server.

All you need is the addition of the AAA Certificate Services to your ca-certificates.crt file - no more. This file is your trust-anchor store and the trust-anchor is the Root CA used by TurnitinUK. It is not the add-all-certificates-I-can-find-in-a-vain-hope-that-things-will-work store :-)

As you've noticed, the server sends you all its certificates (including the Root, which is superfluous), so you don't need them added at your client end (you should never do that). All you need to do is tell the client that you trust the last certificate in the chain (the Root CA cert) and the magic of PKI will sort the rest out. Any certificate signed by the Root CA is trusted (once its added to the trust-store), so your subordinate CA and end-entity certificates are all trusted when they are presented to you by the server.

Try cleaning out /usr/local/share/ca-certificates leaving just the AAA Certificate Services one and re-run update-ca-certificates.