Open in app

Sign in

Write

Sign in

What Does Unable to Get Local Issuer Certificate Error Mean

Priya Mervana
5 min readJul 9, 2024

--

The “unable to get local issuer certificate” error is related to issues with SSL/TLS certificates. It indicates that the certificate chain could not be verified back to a trusted root certificate authority. This error typically occurs in web browsers when connecting to a website that is using an untrusted or invalid SSL certificate.

What Causes the Unable to Get Local Issuer Certificate Error

There are a few common causes for the “unable to get local issuer certificate” error:

Expired Certificate

SSL/TLS certificates have a validity period and expire after a certain date. If the certificate expires, the browser will no longer trust it and will display the “unable to get local issuer certificate” error. The website needs to renew their SSL certificate to resolve this issue.

Self-Signed Certificate

A self-signed certificate is signed by the entity that generated the certificate rather than a trusted certificate authority. Browsers do not inherently trust self-signed certificates, so they will show the “unable to get local issuer certificate” error. The website needs to install a valid SSL certificate signed by a trusted authority.

Certificate Authority Not Trusted

Browsers and operating systems ship with a pre-installed set of trusted root certificates from major certificate authorities. If the website’s certificate was issued by a certificate authority that is not trusted by the browser or OS, it will result in the error. The CA needs to be added to the trust stores to resolve this.

Incorrect Certificate Chain

SSL certificates rely on an intermediate certificate chain to verify trust back to a root CA. If the certificate chain is not properly installed on the web server, it will break the chain of trust and trigger the error. The correct intermediate certificate chain needs to be installed.

Domain Mismatch

The domain name the certificate is issued for must match the domain the browser is trying to connect to. If there is a mismatch, the certificate cannot be verified and will fail with the “unable to get local issuer certificate” error. The website needs to get an updated certificate issued for the correct domain name.

Revoked Certificate

If a certificate authority determines a certificate has been compromised, they can revoke that certificate. Revoked certificates will no longer be trusted and result in the error. The website operator will need to replace the revoked certificate with a new valid one.

When Does the Unable to Get Local Issuer Certificate Error Occur

The “unable to get local issuer certificate” error will occur when first attempting to connect to a website over HTTPS and the initial SSL/TLS handshake fails.

The error prevents the webpage from loading further and displays an alert or warning in the browser. Depending on the browser, the exact wording may vary slightly but will indicate the certificate chain could not be verified.

How to Fix the Unable to Get Local Issuer Certificate Error

Fixing the “unable to get local issuer certificate” error requires investigating the cause and addressing the underlying certificate issue:

Renew Expired Certificate

If the certificate is expired, renew the SSL certificate from the certificate authority. Install the new valid certificate on the web server.

Install Trusted Certificate

For self-signed or untrusted authority certificates, obtain and install a certificate from a trusted authority like Let’s Encrypt, Comodo, Digicert or GoDaddy.

Install Intermediate Certificates

Make sure any required intermediate certificates are installed on the server to complete the chain of trust.

Correct Domain Name Mismatch

Request and install a new certificate that matches the correct domain name the site should be accessed at.

Replace Revoked Certificate

If the certificate was revoked, get a new certificate installed on the web server.

Update Trust Stores

On client computers and devices, make sure root certificates are up-to-date so CAs will be trusted.

Once the underlying issue is addressed, the browser should be able to verify the certificate chain and trust the connection, eliminating the error.

Bypassing the Unable to Get Local Issuer Certificate Error

While fixing the certificate issue is recommended, there are ways to bypass the error in some browsers:

  • Chrome — Type “thisisunsafe” on the error screen and click “Advanced” then “Proceed”.
  • Firefox — Click “Advanced” then “Accept the Risk and Continue”.
  • Safari — Go to Preferences > Advanced and enable “Show Develop menu”. From Develop menu, choose “Disable Certificate Validation”.
  • IE — Click “Continue to this website” on the error page.

This will allow you to access the site but leaves you open to potential security risks from the invalid certificate. Use bypass methods at your own risk.

Potential Risks of Bypassing the Error

Bypassing certificate errors rather than fixing them comes with some risks:

  • Man-in-the-Middle Attack — An attacker could intercept the insecure connection and monitor or modify traffic.
  • Spoofing — The invalid certificate could be used to spoof or impersonate the real website.
  • Data Exposure — Traffic sent over the connection could be decrypted and accessed by others.
  • Malware — The invalid certificate could be tied to malware or phishing sites instead of the real site.

When possible, it’s always preferable to fix the root cause of the certificate error rather than simply bypass it. Valid certificates signed by trusted authorities protect users and website owners.

How to Prevent the Unable to Get Local Issuer Certificate Error

To avoid “unable to get local issuer certificate” errors in the future, website owners should:

  • Purchase SSL certificates from known, trusted authorities
  • Make sure to renew certificates before they have a chance to expire
  • Properly install intermediate certificate chains
  • Keep private keys safe to avoid compromise
  • Request certificates using the exact domain name used by the site
  • Monitor certificate authority trust and update as needed
  • Replace certificates that get revoked or compromised
  • Use Certificate Transparency to detect and avoid mistakenly issued certificates

Following best practices for SSL deployment, maintenance, and monitoring will help prevent issues that lead to the error.

Summary

The “unable to get local issuer certificate” error occurs when a browser cannot verify the SSL certificate chain back to a trusted authority. It is most often caused by expired, self-signed, or incorrectly installed certificates, domain mismatches, and revocations. While it can be bypassed, fixing the underlying issue is the best approach for security. Following SSL certificate best practices will help avoid this common error.

Security
Encryption
Warning
Guides And Tutorials
Ssl

--

--

Priya Mervana
Priya Mervana

Written by Priya Mervana

433 Followers
975 Following

Cyber & Web Security expert with 10+ years securing data privacy through SSL, and threat analysis.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams