'unable to get local issuer certificate' on connect t specific website

Ralpatino · 2025-05-13 13:20:12

Hello! This is my first post on this platform.

I am running a community server for a game and made a script that checks each joining player for their account creation age to essentially not let very new players join. This script has ran flawlessly over the past year, but now the host machine is no longer able to establish a secure ssl connection to the api of the game authors to fetch the account age information.

In my own browser on my machine i can open the website flawlessly, and the tls cert is valid. When i try to connect to the same page on the server i get

curl https://beammp.com

curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.

And with openssl

openssl s_client --connect beammp.com:443

Connecting to 2606:4700:3030::6815:7001
CONNECTED(00000003)
depth=2 C=US, O=SSL Corporation, CN=SSL.com TLS Transit ECC CA R2
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C=US, O=CLOUDFLARE, INC., CN=Cloudflare TLS Issuing ECC CA 1
verify return:1
depth=0 CN=beammp.com
verify return:1
---
Certificate chain
 0 s:CN=beammp.com
   i:C=US, O=CLOUDFLARE, INC., CN=Cloudflare TLS Issuing ECC CA 1
   a:PKEY: EC, (prime256v1); sigalg: ecdsa-with-SHA256
   v:NotBefore: Apr  8 00:07:28 2025 GMT; NotAfter: Jul  7 00:13:53 2025 GMT
 1 s:C=US, O=CLOUDFLARE, INC., CN=Cloudflare TLS Issuing ECC CA 1
   i:C=US, O=SSL Corporation, CN=SSL.com TLS Transit ECC CA R2
   a:PKEY: EC, (prime256v1); sigalg: ecdsa-with-SHA384
   v:NotBefore: Oct 31 17:17:49 2023 GMT; NotAfter: Oct 28 17:17:48 2033 GMT
 2 s:C=US, O=SSL Corporation, CN=SSL.com TLS Transit ECC CA R2
   i:C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services
   a:PKEY: EC, (secp384r1); sigalg: sha256WithRSAEncryption
   v:NotBefore: Jun 21 00:00:00 2024 GMT; NotAfter: Dec 31 23:59:59 2028 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID2DCCA36gAwIBAgIQQGgIlup6NS02HxFJK0DPCDAKBggqhkjOPQQDAjBSMQsw
CQYDVQQGEwJVUzEZMBcGA1UECgwQQ0xPVURGTEFSRSwgSU5DLjEoMCYGA1UEAwwf
Q2xvdWRmbGFyZSBUTFMgSXNzdWluZyBFQ0MgQ0EgMTAeFw0yNTA0MDgwMDA3Mjha
Fw0yNTA3MDcwMDEzNTNaMBUxEzARBgNVBAMMCmJlYW1tcC5jb20wWTATBgcqhkjO
PQIBBggqhkjOPQMBBwNCAAT629FC1W4nzx4CpZq/Wpbp9YfFT3NUNFDTaSZk4q4l
oUEhM14883g/l2ubUuwD2/8FvWg4B9i0KddozGAQye3Ho4ICcTCCAm0wDAYDVR0T
AQH/BAIwADAfBgNVHSMEGDAWgBScxAlyRxgXe6caibOSNdXhA4z+kjBsBggrBgEF
BQcBAQRgMF4wOQYIKwYBBQUHMAKGLWh0dHA6Ly9pLmNmLWIuc3NsLmNvbS9DbG91
ZGZsYXJlLVRMUy1JLUUxLmNlcjAhBggrBgEFBQcwAYYVaHR0cDovL28uY2YtYi5z
c2wuY29tMCMGA1UdEQQcMBqCCmJlYW1tcC5jb22CDCouYmVhbW1wLmNvbTAjBgNV
HSAEHDAaMAgGBmeBDAECATAOBgwrBgEEAYKpMAEDAQEwHQYDVR0lBBYwFAYIKwYB
BQUHAwIGCCsGAQUFBwMBMD4GA1UdHwQ3MDUwM6AxoC+GLWh0dHA6Ly9jLmNmLWIu
c3NsLmNvbS9DbG91ZGZsYXJlLVRMUy1JLUUxLmNybDAOBgNVHQ8BAf8EBAMCB4Aw
DwYJKwYBBAGC2kssBAIFADCCAQIGCisGAQQB1nkCBAIEgfMEgfAA7gB1ACgsi92B
D/kJEgrOFtbg7CAb6oKjpK8Z2e/7Weg/3EJoAAABlhLCW2gAAAQDAEYwRAIgHxxT
saUaZSXPUmlhbRkmvx5POqujQgACwnLRyNRpmFgCICU+7Yq0E37VH0/nsrBdmaoS
P9dBZF1FWEvGj0eCSYo2AHUA3dzKNJXX4RYF55Uy+sef+D0cUN/bADoUEnYKLKy7
yCoAAAGWEsJbOgAABAMARjBEAiBIYK4q9trwKri8HrcXtaD48cG6ZwpI9oykZMYM
KaNgtgIgHDKGJC19SS2jKiOuQ8iYFQH+R07SrAQqAIKRLqV9sgYwCgYIKoZIzj0E
AwIDSAAwRQIgZ07YRiwMd4I2hTGBsK6rTcijxzkJsI2jFvgrcFcuiugCIQDiWPRr
IwEy6Od4jQrOrvBNEkhe9ZAj+EZchubPJV6N6w==
-----END CERTIFICATE-----
subject=CN=beammp.com
issuer=C=US, O=CLOUDFLARE, INC., CN=Cloudflare TLS Issuing ECC CA 1
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ecdsa_secp256r1_sha256
Negotiated TLS1.3 group: X25519MLKEM768
---
SSL handshake has read 4120 bytes and written 1623 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Protocol: TLSv1.3
Server public key is 256 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)
---

From reading more then a dozen of forum posts i understood that this is a issue on my host.

So i have already ran

pacman -Syu

update-ca-trust

and i have also rebooted the system just in case.

Both didnt help. So i thought maybe the ca cert bundle is broken in some way or maybe the config that eg curl uses

curl-config --ca

/etc/ssl/certs/ca-certificates.crt

Looking at that path

ls -l /etc/ssl/certs/ | grep ca-certificates.crt

lrwxrwxrwx 1 root root   49 Jun 18  2024 ca-certificates.crt -> ../../ca-certificates/extracted/tls-ca-bundle.pem

With the 'ca-certificates.crt' file being marked red (im not sure what that means). But it links to another path

ls -l /etc/ca-certificates/extracted/ | grep tls-ca-bundle.pem

-r--r--r-- 1 root root 218874 May 13 05:06 tls-ca-bundle.pem

With the 'tls-ca-bundle.pem' file being marked red too. But the file contains data, is up to date and has read permissions. Doesnt look like this is it

Then i remembered that i had installed a virtual machine on that host a while ago and booted it up. It can flawlessly build a connection to the website.
[spoiler]

openssl s_client --connect beammp.com:443

Connecting to 104.21.80.1
CONNECTED(00000003)
depth=3 C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services
verify return:1
depth=2 C=US, O=SSL Corporation, CN=SSL.com TLS Transit ECC CA R2
verify return:1
depth=1 C=US, O=CLOUDFLARE, INC., CN=Cloudflare TLS Issuing ECC CA 1
verify return:1
depth=0 CN=beammp.com
verify return:1
---
Certificate chain
 0 s:CN=beammp.com
   i:C=US, O=CLOUDFLARE, INC., CN=Cloudflare TLS Issuing ECC CA 1
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA256
   v:NotBefore: Apr  8 00:07:28 2025 GMT; NotAfter: Jul  7 00:13:53 2025 GMT
 1 s:C=US, O=CLOUDFLARE, INC., CN=Cloudflare TLS Issuing ECC CA 1
   i:C=US, O=SSL Corporation, CN=SSL.com TLS Transit ECC CA R2
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA384
   v:NotBefore: Oct 31 17:17:49 2023 GMT; NotAfter: Oct 28 17:17:48 2033 GMT
 2 s:C=US, O=SSL Corporation, CN=SSL.com TLS Transit ECC CA R2
   i:C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services
   a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jun 21 00:00:00 2024 GMT; NotAfter: Dec 31 23:59:59 2028 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID2DCCA36gAwIBAgIQQGgIlup6NS02HxFJK0DPCDAKBggqhkjOPQQDAjBSMQsw
CQYDVQQGEwJVUzEZMBcGA1UECgwQQ0xPVURGTEFSRSwgSU5DLjEoMCYGA1UEAwwf
Q2xvdWRmbGFyZSBUTFMgSXNzdWluZyBFQ0MgQ0EgMTAeFw0yNTA0MDgwMDA3Mjha
Fw0yNTA3MDcwMDEzNTNaMBUxEzARBgNVBAMMCmJlYW1tcC5jb20wWTATBgcqhkjO
PQIBBggqhkjOPQMBBwNCAAT629FC1W4nzx4CpZq/Wpbp9YfFT3NUNFDTaSZk4q4l
oUEhM14883g/l2ubUuwD2/8FvWg4B9i0KddozGAQye3Ho4ICcTCCAm0wDAYDVR0T
AQH/BAIwADAfBgNVHSMEGDAWgBScxAlyRxgXe6caibOSNdXhA4z+kjBsBggrBgEF
BQcBAQRgMF4wOQYIKwYBBQUHMAKGLWh0dHA6Ly9pLmNmLWIuc3NsLmNvbS9DbG91
ZGZsYXJlLVRMUy1JLUUxLmNlcjAhBggrBgEFBQcwAYYVaHR0cDovL28uY2YtYi5z
c2wuY29tMCMGA1UdEQQcMBqCCmJlYW1tcC5jb22CDCouYmVhbW1wLmNvbTAjBgNV
HSAEHDAaMAgGBmeBDAECATAOBgwrBgEEAYKpMAEDAQEwHQYDVR0lBBYwFAYIKwYB
BQUHAwIGCCsGAQUFBwMBMD4GA1UdHwQ3MDUwM6AxoC+GLWh0dHA6Ly9jLmNmLWIu
c3NsLmNvbS9DbG91ZGZsYXJlLVRMUy1JLUUxLmNybDAOBgNVHQ8BAf8EBAMCB4Aw
DwYJKwYBBAGC2kssBAIFADCCAQIGCisGAQQB1nkCBAIEgfMEgfAA7gB1ACgsi92B
D/kJEgrOFtbg7CAb6oKjpK8Z2e/7Weg/3EJoAAABlhLCW2gAAAQDAEYwRAIgHxxT
saUaZSXPUmlhbRkmvx5POqujQgACwnLRyNRpmFgCICU+7Yq0E37VH0/nsrBdmaoS
P9dBZF1FWEvGj0eCSYo2AHUA3dzKNJXX4RYF55Uy+sef+D0cUN/bADoUEnYKLKy7
yCoAAAGWEsJbOgAABAMARjBEAiBIYK4q9trwKri8HrcXtaD48cG6ZwpI9oykZMYM
KaNgtgIgHDKGJC19SS2jKiOuQ8iYFQH+R07SrAQqAIKRLqV9sgYwCgYIKoZIzj0E
AwIDSAAwRQIgZ07YRiwMd4I2hTGBsK6rTcijxzkJsI2jFvgrcFcuiugCIQDiWPRr
IwEy6Od4jQrOrvBNEkhe9ZAj+EZchubPJV6N6w==
-----END CERTIFICATE-----
subject=CN=beammp.com
issuer=C=US, O=CLOUDFLARE, INC., CN=Cloudflare TLS Issuing ECC CA 1
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3031 bytes and written 398 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

[/spoiler]
The noteable difference is that the vm tries to connect over ipv4 while the host chooses ipv6 and that the certificate chains pkey details are different. eg

a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA256

instead of

a:PKEY: EC, (prime256v1); sigalg: ecdsa-with-SHA256

But this may simply be normal because of the ipv4/ipv6 difference?

So maybe its the ipv6 connection i thought

curl -4 https://beammp.com

curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.

Nope.

Next i thought i should check the ca certs that i have locally. The openssl check states

issuer=C=US, O=CLOUDFLARE, INC., CN=Cloudflare TLS Issuing ECC CA 1

So i ran this on both the host and the vm

ls -l /etc/ca-certificates/extracted/cadir | grep Cloudflare

ls -l /etc/ca-certificates/extracted/cadir | grep CLOUDFLARE

Both return nothing on both the host and vm and im certain im doing something wrong here.

And this is where im stuck and uncertain on how to progress on debugging this and im hoping for help (:

Last edited by Ralpatino (2025-05-13 13:21:18)

Ralpatino · 2025-05-13 13:29:44

Additionally i have checked if the server can connect to other websites.

curl https://google.com

No issue

Then i have also reinstalled ca-certificates and ca-certificates-utils

pacman -Syu ca-certifcates

pacman -Syu ca-certifcates-utils

and reran

update-ca-trust

but to no avail

seth · 2025-05-13 14:13:56

ran flawlessly over the past year, but now the host machine is no longe

What happened interim?

Then i remembered that i had installed a virtual machine on that host a while ago and booted it up.

Same versions of openssl/ca-cert?

The bad on lacks

depth=3 C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services
verify return:1

despite

 2 s:C=US, O=SSL Corporation, CN=SSL.com TLS Transit ECC CA R2
   i:C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services
   a:PKEY: EC, (secp384r1); sigalg: sha256WithRSAEncryption
   v:NotBefore: Jun 21 00:00:00 2024 GMT; NotAfter: Dec 31 23:59:59 2028 GMT

Wild guess:

date

matches a wall clock?

Run

strace -f -o /tmp/curl.strace curl -o /dev/null -s https://beammp.com

to check whether curl is lookign at the wrong file(s)

openssl s_client -4 --connect beammp.com:443

will allow you to mimic IPv4 on the IPv6 host

Sidebar:
- ls -l /etc/ssl/certs/ | grep ca-certificates.crt
+ ls -l /etc/ssl/certs/ca-certificates.crt
man realpath
man stat

cryptearth · 2025-05-13 14:32:52

Mythbusters wrote:

When in doubt - C4!

https://www.ssllabs.com/ssltest/analyze … com&latest
the service is behind cloudflare - and although they might know what they do it could be the server op who diesn't and hence there could be an issue between cloudflare and the upstream server we cannot test
maybe contact the server op so they can check thier upstream connection

Ralpatino · 2025-05-13 14:45:59

seth wrote:

What happened interim?

Regular server updates with pacman -Syyu, setting up a docker container here and there, nothing i can think of causing this except an update breaking, just seems so odd its only for this website

seth wrote:

Same versions of openssl/ca-cert?

Using

pacman -Q --info ca-certificates

On the host

Name            : ca-certificates
Version         : 20240618-1
Description     : Common CA certificates - default providers
Architecture    : any
URL             : https://src.fedoraproject.org/rpms/ca-certificates
Licenses        : GPL-2.0-or-later
Groups          : None
Provides        : None
Depends On      : ca-certificates-mozilla
Optional Deps   : None
Required By     : curl  python-requests  qca-qt6
Optional For    : openssl  wget
Conflicts With  : ca-certificates-cacert<=20140824-4
Replaces        : ca-certificates-cacert<=20140824-4
Installed Size  : 0.00 B
Packager        : Jan Alexander Steffens (heftig) <heftig@archlinux.org>
Build Date      : Tue 18 Jun 2024 08:36:40 PM CEST
Install Date    : Tue 13 May 2025 03:57:31 AM CEST
Install Reason  : Installed as a dependency for another package
Install Script  : No
Validated By    : Signature

The VM

Name            : ca-certificates
Version         : 20220905-1
Description     : Common CA certificates (default providers)
Architecture    : any
URL             : https://src.fedoraproject.org/rpms/ca-certificates
Licenses        : GPL
Groups          : None
Provides        : None
Depends On      : ca-certificates-mozilla
Optional Deps   : None
Required By     : curl
Optional For    : openssl  wget
Conflicts With  : ca-certificates-cacert<=20140824-4
Replaces        : ca-certificates-cacert<=20140824-4
Installed Size  : 0.00 B
Packager        : Jan Alexander Steffens (heftig) <heftig@archlinux.org>
Build Date      : Mon Sep 5 21:59:24 2022
Install Date    : Mon Jan 1 19:05:04 2024
Install Reason  : Installed as a dependency for another package
Install Script  : No
Validated By    : Signature

Very dated

seth wrote:

The bad on lacks[...]

That sounds like a lead

seth wrote:

Same versions of openssl/ca-cert?

Tue May 13 04:26:38 PM CEST 2025

That matches the time exactly

seth wrote:

Run: strace -f -o /tmp/curl.strace curl -o /dev/null -s https://beammp.com

I uploaded the output here https://hastebin.de/ovaxidavij.yaml

seth wrote:

Run: openssl s_client -4 --connect beammp.com:443

Connecting to 104.21.16.1
CONNECTED(00000003)
depth=2 C=US, O=SSL Corporation, CN=SSL.com TLS Transit ECC CA R2
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C=US, O=CLOUDFLARE, INC., CN=Cloudflare TLS Issuing ECC CA 1
verify return:1
depth=0 CN=beammp.com
verify return:1
---
Certificate chain
 0 s:CN=beammp.com
   i:C=US, O=CLOUDFLARE, INC., CN=Cloudflare TLS Issuing ECC CA 1
   a:PKEY: EC, (prime256v1); sigalg: ecdsa-with-SHA256
   v:NotBefore: Apr  8 00:07:28 2025 GMT; NotAfter: Jul  7 00:13:53 2025 GMT
 1 s:C=US, O=CLOUDFLARE, INC., CN=Cloudflare TLS Issuing ECC CA 1
   i:C=US, O=SSL Corporation, CN=SSL.com TLS Transit ECC CA R2
   a:PKEY: EC, (prime256v1); sigalg: ecdsa-with-SHA384
   v:NotBefore: Oct 31 17:17:49 2023 GMT; NotAfter: Oct 28 17:17:48 2033 GMT
 2 s:C=US, O=SSL Corporation, CN=SSL.com TLS Transit ECC CA R2
   i:C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services
   a:PKEY: EC, (secp384r1); sigalg: sha256WithRSAEncryption
   v:NotBefore: Jun 21 00:00:00 2024 GMT; NotAfter: Dec 31 23:59:59 2028 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID2DCCA36gAwIBAgIQQGgIlup6NS02HxFJK0DPCDAKBggqhkjOPQQDAjBSMQsw
CQYDVQQGEwJVUzEZMBcGA1UECgwQQ0xPVURGTEFSRSwgSU5DLjEoMCYGA1UEAwwf
Q2xvdWRmbGFyZSBUTFMgSXNzdWluZyBFQ0MgQ0EgMTAeFw0yNTA0MDgwMDA3Mjha
Fw0yNTA3MDcwMDEzNTNaMBUxEzARBgNVBAMMCmJlYW1tcC5jb20wWTATBgcqhkjO
PQIBBggqhkjOPQMBBwNCAAT629FC1W4nzx4CpZq/Wpbp9YfFT3NUNFDTaSZk4q4l
oUEhM14883g/l2ubUuwD2/8FvWg4B9i0KddozGAQye3Ho4ICcTCCAm0wDAYDVR0T
AQH/BAIwADAfBgNVHSMEGDAWgBScxAlyRxgXe6caibOSNdXhA4z+kjBsBggrBgEF
BQcBAQRgMF4wOQYIKwYBBQUHMAKGLWh0dHA6Ly9pLmNmLWIuc3NsLmNvbS9DbG91
ZGZsYXJlLVRMUy1JLUUxLmNlcjAhBggrBgEFBQcwAYYVaHR0cDovL28uY2YtYi5z
c2wuY29tMCMGA1UdEQQcMBqCCmJlYW1tcC5jb22CDCouYmVhbW1wLmNvbTAjBgNV
HSAEHDAaMAgGBmeBDAECATAOBgwrBgEEAYKpMAEDAQEwHQYDVR0lBBYwFAYIKwYB
BQUHAwIGCCsGAQUFBwMBMD4GA1UdHwQ3MDUwM6AxoC+GLWh0dHA6Ly9jLmNmLWIu
c3NsLmNvbS9DbG91ZGZsYXJlLVRMUy1JLUUxLmNybDAOBgNVHQ8BAf8EBAMCB4Aw
DwYJKwYBBAGC2kssBAIFADCCAQIGCisGAQQB1nkCBAIEgfMEgfAA7gB1ACgsi92B
D/kJEgrOFtbg7CAb6oKjpK8Z2e/7Weg/3EJoAAABlhLCW2gAAAQDAEYwRAIgHxxT
saUaZSXPUmlhbRkmvx5POqujQgACwnLRyNRpmFgCICU+7Yq0E37VH0/nsrBdmaoS
P9dBZF1FWEvGj0eCSYo2AHUA3dzKNJXX4RYF55Uy+sef+D0cUN/bADoUEnYKLKy7
yCoAAAGWEsJbOgAABAMARjBEAiBIYK4q9trwKri8HrcXtaD48cG6ZwpI9oykZMYM
KaNgtgIgHDKGJC19SS2jKiOuQ8iYFQH+R07SrAQqAIKRLqV9sgYwCgYIKoZIzj0E
AwIDSAAwRQIgZ07YRiwMd4I2hTGBsK6rTcijxzkJsI2jFvgrcFcuiugCIQDiWPRr
IwEy6Od4jQrOrvBNEkhe9ZAj+EZchubPJV6N6w==
-----END CERTIFICATE-----
subject=CN=beammp.com
issuer=C=US, O=CLOUDFLARE, INC., CN=Cloudflare TLS Issuing ECC CA 1
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ecdsa_secp256r1_sha256
Negotiated TLS1.3 group: X25519MLKEM768
---
SSL handshake has read 4119 bytes and written 1623 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Protocol: TLSv1.3
Server public key is 256 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)
---

seth wrote:

Sidebar:
- ls -l /etc/ssl/certs/ | grep ca-certificates.crt
+ ls -l /etc/ssl/certs/ca-certificates.crt
man realpath
man stat

Thank you

Tried it all, seems correct to me

realpath /etc/ssl/certs/ca-certificates.crt

/etc/ca-certificates/extracted/tls-ca-bundle.pem

stat /etc/ssl/certs/ca-certificates.crt

  File: /etc/ssl/certs/ca-certificates.crt -> ../../ca-certificates/extracted/tls-ca-bundle.pem
  Size: 49              Blocks: 0          IO Block: 4096   symbolic link
Device: 9,2     Inode: 1049599     Links: 1
Access: (0777/lrwxrwxrwx)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2025-05-13 05:02:21.668123137 +0200
Modify: 2024-06-18 20:36:40.000000000 +0200
Change: 2025-05-13 05:02:20.988116210 +0200
 Birth: 2025-05-13 05:02:20.988116210 +0200

Then looking at the actual file

stat /etc/ca-certificates/extracted/tls-ca-bundle.pem

  File: /etc/ca-certificates/extracted/tls-ca-bundle.pem
  Size: 218874          Blocks: 432        IO Block: 4096   regular file
Device: 9,2     Inode: 1049549     Links: 1
Access: (0444/-r--r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2025-05-13 05:06:16.500842418 +0200
Modify: 2025-05-13 05:06:11.227441863 +0200
Change: 2025-05-13 05:06:11.227441863 +0200
 Birth: 2025-05-13 05:06:11.217441736 +0200

Ralpatino · 2025-05-13 15:03:34

cryptearth wrote:

Mythbusters wrote:
When in doubt - C4!
https://www.ssllabs.com/ssltest/analyze … com&latest
the service is behind cloudflare - and although they might know what they do it could be the server op who diesn't and hence there could be an issue between cloudflare and the upstream server we cannot test
maybe contact the server op so they can check thier upstream connection

The same system can and cant build a ssl connection (host cant, vm can). Im not sure how this could be caused on their end if both the host and vm use the same connection and connect to the same ipv4. This seems very much like a problem on my end.

Edit. no they dont connect to the same ipv4. The host goes to 104.21.16.1 and the vm to 104.21.80.1. My bad

Last edited by Ralpatino (2025-05-13 15:07:32)

Ralpatino · 2025-05-13 15:55:24

Trying to understand the strace output but im honestly not grasping the issue from it

seth · 2025-05-13 19:51:55

The strace will not reveal what's wrong here, have you tried to align the IPs ie. map beammp.com to 104.21.80.1 in /etc/hosts ?

[Edit: purpose of the strace was to make sure you're not using some unexpected files by some curl config or environment variable]

Last edited by seth (2025-05-13 19:52:51)

Ralpatino · 2025-05-13 20:07:54

seth wrote:

The strace will not reveal what's wrong here, have you tried to align the IPs ie. map beammp.com to 104.21.80.1 in /etc/hosts ?

No i had not thought of that and now immediately tried

/etc/hosts
104.21.80.1 beammp.com

Then i ran

$ openssl s_client -4 --connect beammp.com:443
Connecting to 104.21.80.1
CONNECTED(00000003)
depth=2 C=US, O=SSL Corporation, CN=SSL.com TLS Transit ECC CA R2
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C=US, O=CLOUDFLARE, INC., CN=Cloudflare TLS Issuing ECC CA 1
verify return:1
depth=0 CN=beammp.com
verify return:1
---
Certificate chain
 0 s:CN=beammp.com
   i:C=US, O=CLOUDFLARE, INC., CN=Cloudflare TLS Issuing ECC CA 1
   a:PKEY: EC, (prime256v1); sigalg: ecdsa-with-SHA256
   v:NotBefore: Apr  8 00:07:28 2025 GMT; NotAfter: Jul  7 00:13:53 2025 GMT
 1 s:C=US, O=CLOUDFLARE, INC., CN=Cloudflare TLS Issuing ECC CA 1
   i:C=US, O=SSL Corporation, CN=SSL.com TLS Transit ECC CA R2
   a:PKEY: EC, (prime256v1); sigalg: ecdsa-with-SHA384
   v:NotBefore: Oct 31 17:17:49 2023 GMT; NotAfter: Oct 28 17:17:48 2033 GMT
 2 s:C=US, O=SSL Corporation, CN=SSL.com TLS Transit ECC CA R2
   i:C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services
   a:PKEY: EC, (secp384r1); sigalg: sha256WithRSAEncryption
   v:NotBefore: Jun 21 00:00:00 2024 GMT; NotAfter: Dec 31 23:59:59 2028 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID2DCCA36gAwIBAgIQQGgIlup6NS02HxFJK0DPCDAKBggqhkjOPQQDAjBSMQsw
CQYDVQQGEwJVUzEZMBcGA1UECgwQQ0xPVURGTEFSRSwgSU5DLjEoMCYGA1UEAwwf
Q2xvdWRmbGFyZSBUTFMgSXNzdWluZyBFQ0MgQ0EgMTAeFw0yNTA0MDgwMDA3Mjha
Fw0yNTA3MDcwMDEzNTNaMBUxEzARBgNVBAMMCmJlYW1tcC5jb20wWTATBgcqhkjO
PQIBBggqhkjOPQMBBwNCAAT629FC1W4nzx4CpZq/Wpbp9YfFT3NUNFDTaSZk4q4l
oUEhM14883g/l2ubUuwD2/8FvWg4B9i0KddozGAQye3Ho4ICcTCCAm0wDAYDVR0T
AQH/BAIwADAfBgNVHSMEGDAWgBScxAlyRxgXe6caibOSNdXhA4z+kjBsBggrBgEF
BQcBAQRgMF4wOQYIKwYBBQUHMAKGLWh0dHA6Ly9pLmNmLWIuc3NsLmNvbS9DbG91
ZGZsYXJlLVRMUy1JLUUxLmNlcjAhBggrBgEFBQcwAYYVaHR0cDovL28uY2YtYi5z
c2wuY29tMCMGA1UdEQQcMBqCCmJlYW1tcC5jb22CDCouYmVhbW1wLmNvbTAjBgNV
HSAEHDAaMAgGBmeBDAECATAOBgwrBgEEAYKpMAEDAQEwHQYDVR0lBBYwFAYIKwYB
BQUHAwIGCCsGAQUFBwMBMD4GA1UdHwQ3MDUwM6AxoC+GLWh0dHA6Ly9jLmNmLWIu
c3NsLmNvbS9DbG91ZGZsYXJlLVRMUy1JLUUxLmNybDAOBgNVHQ8BAf8EBAMCB4Aw
DwYJKwYBBAGC2kssBAIFADCCAQIGCisGAQQB1nkCBAIEgfMEgfAA7gB1ACgsi92B
D/kJEgrOFtbg7CAb6oKjpK8Z2e/7Weg/3EJoAAABlhLCW2gAAAQDAEYwRAIgHxxT
saUaZSXPUmlhbRkmvx5POqujQgACwnLRyNRpmFgCICU+7Yq0E37VH0/nsrBdmaoS
P9dBZF1FWEvGj0eCSYo2AHUA3dzKNJXX4RYF55Uy+sef+D0cUN/bADoUEnYKLKy7
yCoAAAGWEsJbOgAABAMARjBEAiBIYK4q9trwKri8HrcXtaD48cG6ZwpI9oykZMYM
KaNgtgIgHDKGJC19SS2jKiOuQ8iYFQH+R07SrAQqAIKRLqV9sgYwCgYIKoZIzj0E
AwIDSAAwRQIgZ07YRiwMd4I2hTGBsK6rTcijxzkJsI2jFvgrcFcuiugCIQDiWPRr
IwEy6Od4jQrOrvBNEkhe9ZAj+EZchubPJV6N6w==
-----END CERTIFICATE-----
subject=CN=beammp.com
issuer=C=US, O=CLOUDFLARE, INC., CN=Cloudflare TLS Issuing ECC CA 1
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ecdsa_secp256r1_sha256
Negotiated TLS1.3 group: X25519MLKEM768
---
SSL handshake has read 4120 bytes and written 1623 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Protocol: TLSv1.3
Server public key is 256 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)
---

Which confirms that it took the new configured address but the cert issue continues to exists. Ive tried this with two other ips to no avail

seth · 2025-05-13 20:13:52

So not the destination.

openssl s_client -debug -showcerts -4 --connect beammp.com:443

Ralpatino · 2025-05-13 20:26:42

seth wrote:

So not the destination.

openssl s_client -debug -showcerts -4 --connect beammp.com:443

This is the output https://pastebin.com/pECQP00t

Earlier you mentioned how the bad one lacks

depth=3 C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services
verify return:1

despite

 2 s:C=US, O=SSL Corporation, CN=SSL.com TLS Transit ECC CA R2
   i:C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services
   a:PKEY: EC, (secp384r1); sigalg: sha256WithRSAEncryption
   v:NotBefore: Jun 21 00:00:00 2024 GMT; NotAfter: Dec 31 23:59:59 2028 GMT

I tried to understand what you could have ment with it but im honestly not sure.

sevendogs · 2025-05-13 20:36:19

Normally, "unable to get local issuer certificate" means you don't trust whomever you are trying to connect to. Do you have the public key for the far end (the API server)? I think this means if you install the issuer (CA) certificate of whomever issues the API server's certificate, then your system will trust it. If that make sense.

Ralpatino · 2025-05-13 20:44:38

sevendogs wrote:

Normally, "unable to get local issuer certificate" means you don't trust whomever you are trying to connect to. Do you have the public key for the far end (the API server)? I think this means if you install the issuer (CA) certificate of whomever issues the API server's certificate, then your system will trust it. If that make sense.

Yeah thought about that solution, however then i would have to update that cert every month right? If its the case that the server for some reason doesnt trust the domain then i rather like to fix that. The vm and containers on the host dont have an issue verifying the cert chain, but the host does, but why especially since i havent changed anything in that regard ever

Edit. the api is behind a subdomain, but it shares the same cert. so i could manually trust the cert but thats more like a troubleshoot then solving the actual problem

Last edited by Ralpatino (2025-05-13 20:50:34)

sevendogs · 2025-05-13 20:47:42

Ralpatino wrote:

sevendogs wrote:
Normally, "unable to get local issuer certificate" means you don't trust whomever you are trying to connect to. Do you have the public key for the far end (the API server)? I think this means if you install the issuer (CA) certificate of whomever issues the API server's certificate, then your system will trust it. If that make sense.
Yeah thought about that solution, however then i would have to update that cert every month right? If its the case that the server for some reason doesnt trust the domain then i rather like to fix that. The vm and containers on the host dont have an issue verifying the cert chain, but the host does, but why especially since i havent changed anything in that regard ever

I have no idea - most certs are good for at least a year but that depends on the CA that issued it. Odd that the VMs are ok but the VM host isn't. Installed trusted roots/CAs on the VMs the same as the host?

mkbodanu4 · 2025-05-13 20:51:25

Hey everybody,

I got the same issue a few days ago, with a Ruby app. When it tries to connect to a specific domain with a Cloudflare cert, I get the error "unable to get local issuer certificate". In my case, the domain is myshopify.com. It works well in Firefox or Chrome, but curl and Ruby return exactly the same error all the time.

Ralpatino · 2025-05-13 20:55:57

sevendogs wrote:

I have no idea - most certs are good for at least a year but that depends on the CA that issued it. Odd that the VMs are ok but the VM host isn't. Installed trusted roots/CAs on the VMs the same as the host?

When i look at the websites cert i see that its only valid for a month. About the second idea, is there a good way to check that that doesnt mean checking file by file? I looked at the certs in /etc/ca-certificates/extracted/cadir for both the host and the vm before i made the post, it looked to be the same, but its alot of files right

seth · 2025-05-13 21:00:09

md5sum - you could try to straight up copy /etc/ca-certificates/extracted/tls-ca-bundle.pem from the VM - make sure to archive the original before.
@mkbodanu4, do you also go through the Comodo certificate?

mkbodanu4 · 2025-05-13 21:02:54

Hmm, just found this thread, https://bbs.archlinux.org/viewtopic.php?id=305427, and downgrading that package helped me with the issue.

mkbodanu4 · 2025-05-13 21:04:22

And I got same result for beammp.com with that downgrade

Ralpatino · 2025-05-13 21:10:28

Interesting thread there and very recent too, have to give it a proper look later when im back online. But already just looking at the filesizes on the host and the vm i can see its different.

Ran on both before the check

update-ca-trust

Host

-r--r--r-- 1 root root 218874 May 13 23:07 /etc/ca-certificates/extracted/tls-ca-bundle.pem

VM (reminder, the ca-certificates package is from last year on this vm)

-r--r--r-- 1 root root 225535 May 13 21:02 /etc/ca-certificates/extracted/tls-ca-bundle.pem

Last edited by Ralpatino (2025-05-13 21:11:03)

Ralpatino · 2025-05-13 22:43:11

So yes this seems to be the solution. The "ca-certificates-mozilla" package version 311 is missing a CA cert that is served in cloudflare ca chains. Downgrading to 310 like the op in the other thread did solved it.

Thank you @seth, @cryptearth, @sevendogs and @mkbodanu4 for helping (:

cryptearth · 2025-05-13 22:44:17

well - hard to tell what's going wrong here
the current CA-list has this:

sha256 Fingerprint=D7:A7:A0:FB:5D:7E:27:31:D7:71:E9:48:4E:BC:DE:F7:1D:5F:0C:3E:0A:29:48:78:2B:C8:3E:E0:EA:69:9E:F4
-----BEGIN CERTIFICATE-----
MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJHQjEb
MBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRow
GAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UEAwwYQUFBIENlcnRpZmlj
YXRlIFNlcnZpY2VzMB4XDTA0MDEwMTAwMDAwMFoXDTI4MTIzMTIzNTk1OVowezEL
MAkGA1UEBhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE
BwwHU2FsZm9yZDEaMBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxITAfBgNVBAMM
GEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAL5AnfRu4ep2hxxNRUSOvkbIgwadwSr+GB+O5AL686tdUIoWMQua
BtDFcCLNSS1UY8y2bmhGC1Pqy0wkwLxyTurxFa70VJoSCsN6sjNg4tqJVfMiWPPe
3M/vg4aijJRPn2jymJBGhCfHdr/jzDUsi14HZGWCwEiwqJH5YZ92IFCokcdmtet4
YgNW8IoaE+oxox6gmf049vYnMlhvB/VruPsUK6+3qszWY19zjNoFmag4qMsXeDZR
rOme9Hg6jc8P2ULimAyrL58OAd7vn5lJ8S3frHRNG5i1R8XlKdH5kBjHYpy+g8cm
ez6KJcfA3Z3mNWgQIJ2P2N7Sw4ScDV7oL8kCAwEAAaOBwDCBvTAdBgNVHQ4EFgQU
oBEKIz6W8Qfs4q8p74Klf9AwpLQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQF
MAMBAf8wewYDVR0fBHQwcjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5jb20v
QUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwuY29t
b2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2VzLmNybDANBgkqhkiG9w0BAQUF
AAOCAQEACFb8AvCb6P+k+tZ7xkSAzk/ExfYAWMymtrwUSWgEdujm7l3sAg9g1o1Q
GE8mTgHj5rCl7r+8dFRBv/38ErjHT1r0iWAFf2C3BUrz9vHCv8S5dIa2LX1rzNLz
Rt0vxuBqw8M0Ayx9lt1awg6nCpnBBYurDC/zXDrPbDdVCYfeU0BsWO/8tqtlbgT2
G9w84FoVxp7Z8VlIMCFlA2zs6SFz7JsDoeA3raAVGI/6ugLOpyypEBMs1OUIJqsi
l2D4kF501KKaU73yqWjgom7C12yxow+ev+to51byrvLjKzg6CYG1a4XXvi3tPxq3
smPi9WIsgtRqAEFQ8TmDn5XpNpaYbg==
-----END CERTIFICATE-----

which matches the ssllabs output:

AAA Certificate Services   Self-signed
Fingerprint SHA256: d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef4
Pin SHA256: vRU+17BDT2iGsXvOi76E7TQMcTLXAqj0+jGPdW7L1vM=
RSA 2048 bits (e 65537) / SHA1withRSA
Weak or insecure signature, but no impact on root certificate

yet somehow the current arch packages fails to build a valid verification path:

openssl s_client -connect beammp.com:443 -crlf
Connecting to 2606:4700:3030::6815:3001
CONNECTED(00000003)
depth=2 C=US, O=SSL Corporation, CN=SSL.com TLS Transit ECC CA R2
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C=US, O=CLOUDFLARE, INC., CN=Cloudflare TLS Issuing ECC CA 1
verify return:1
depth=0 CN=beammp.com
verify return:1
---
Certificate chain
 0 s:CN=beammp.com
   i:C=US, O=CLOUDFLARE, INC., CN=Cloudflare TLS Issuing ECC CA 1
   a:PKEY: EC, (prime256v1); sigalg: ecdsa-with-SHA256
   v:NotBefore: Apr  8 00:07:28 2025 GMT; NotAfter: Jul  7 00:13:53 2025 GMT
 1 s:C=US, O=CLOUDFLARE, INC., CN=Cloudflare TLS Issuing ECC CA 1
   i:C=US, O=SSL Corporation, CN=SSL.com TLS Transit ECC CA R2
   a:PKEY: EC, (prime256v1); sigalg: ecdsa-with-SHA384
   v:NotBefore: Oct 31 17:17:49 2023 GMT; NotAfter: Oct 28 17:17:48 2033 GMT
 2 s:C=US, O=SSL Corporation, CN=SSL.com TLS Transit ECC CA R2
   i:C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services
   a:PKEY: EC, (secp384r1); sigalg: sha256WithRSAEncryption
   v:NotBefore: Jun 21 00:00:00 2024 GMT; NotAfter: Dec 31 23:59:59 2028 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID2DCCA36gAwIBAgIQQGgIlup6NS02HxFJK0DPCDAKBggqhkjOPQQDAjBSMQsw
CQYDVQQGEwJVUzEZMBcGA1UECgwQQ0xPVURGTEFSRSwgSU5DLjEoMCYGA1UEAwwf
Q2xvdWRmbGFyZSBUTFMgSXNzdWluZyBFQ0MgQ0EgMTAeFw0yNTA0MDgwMDA3Mjha
Fw0yNTA3MDcwMDEzNTNaMBUxEzARBgNVBAMMCmJlYW1tcC5jb20wWTATBgcqhkjO
PQIBBggqhkjOPQMBBwNCAAT629FC1W4nzx4CpZq/Wpbp9YfFT3NUNFDTaSZk4q4l
oUEhM14883g/l2ubUuwD2/8FvWg4B9i0KddozGAQye3Ho4ICcTCCAm0wDAYDVR0T
AQH/BAIwADAfBgNVHSMEGDAWgBScxAlyRxgXe6caibOSNdXhA4z+kjBsBggrBgEF
BQcBAQRgMF4wOQYIKwYBBQUHMAKGLWh0dHA6Ly9pLmNmLWIuc3NsLmNvbS9DbG91
ZGZsYXJlLVRMUy1JLUUxLmNlcjAhBggrBgEFBQcwAYYVaHR0cDovL28uY2YtYi5z
c2wuY29tMCMGA1UdEQQcMBqCCmJlYW1tcC5jb22CDCouYmVhbW1wLmNvbTAjBgNV
HSAEHDAaMAgGBmeBDAECATAOBgwrBgEEAYKpMAEDAQEwHQYDVR0lBBYwFAYIKwYB
BQUHAwIGCCsGAQUFBwMBMD4GA1UdHwQ3MDUwM6AxoC+GLWh0dHA6Ly9jLmNmLWIu
c3NsLmNvbS9DbG91ZGZsYXJlLVRMUy1JLUUxLmNybDAOBgNVHQ8BAf8EBAMCB4Aw
DwYJKwYBBAGC2kssBAIFADCCAQIGCisGAQQB1nkCBAIEgfMEgfAA7gB1ACgsi92B
D/kJEgrOFtbg7CAb6oKjpK8Z2e/7Weg/3EJoAAABlhLCW2gAAAQDAEYwRAIgHxxT
saUaZSXPUmlhbRkmvx5POqujQgACwnLRyNRpmFgCICU+7Yq0E37VH0/nsrBdmaoS
P9dBZF1FWEvGj0eCSYo2AHUA3dzKNJXX4RYF55Uy+sef+D0cUN/bADoUEnYKLKy7
yCoAAAGWEsJbOgAABAMARjBEAiBIYK4q9trwKri8HrcXtaD48cG6ZwpI9oykZMYM
KaNgtgIgHDKGJC19SS2jKiOuQ8iYFQH+R07SrAQqAIKRLqV9sgYwCgYIKoZIzj0E
AwIDSAAwRQIgZ07YRiwMd4I2hTGBsK6rTcijxzkJsI2jFvgrcFcuiugCIQDiWPRr
IwEy6Od4jQrOrvBNEkhe9ZAj+EZchubPJV6N6w==
-----END CERTIFICATE-----
subject=CN=beammp.com
issuer=C=US, O=CLOUDFLARE, INC., CN=Cloudflare TLS Issuing ECC CA 1
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ecdsa_secp256r1_sha256
Negotiated TLS1.3 group: X25519MLKEM768
---
SSL handshake has read 4119 bytes and written 1623 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Protocol: TLSv1.3
Server public key is 256 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)
---
GET / HTTP/1.1
Server: beammp.com
Connection:close
RECONNECTING
Connecting to 2606:4700:3030::6815:5001
CONNECTED(00000003)
depth=2 C=US, O=SSL Corporation, CN=SSL.com TLS Transit ECC CA R2
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C=US, O=CLOUDFLARE, INC., CN=Cloudflare TLS Issuing ECC CA 1
verify return:1
depth=0 CN=beammp.com
verify return:1
Verification error: unable to get local issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Protocol: TLSv1.3
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)
---

so - as I'm not sure how to investigate further - this is a screw up of current arch packages

pacman -Qi ca-certificates ca-certificates-mozilla ca-certificates-utils
Name            : ca-certificates
Version         : 20240618-1
Description     : Common CA certificates - default providers
Architecture    : any
URL             : https://src.fedoraproject.org/rpms/ca-certificates
Licenses        : GPL-2.0-or-later
Groups          : None
Provides        : None
Depends On      : ca-certificates-mozilla
Optional Deps   : None
Required By     : curl  neon  python-certifi  python-requests  qca-qt6
Optional For    : lib32-openssl  openssl  wget
Conflicts With  : ca-certificates-cacert<=20140824-4
Replaces        : ca-certificates-cacert<=20140824-4
Installed Size  : 0.00 B
Packager        : Jan Alexander Steffens (heftig) <heftig@archlinux.org>
Build Date      : Tue Jun 18 20:36:40 2024
Install Date    : Thu Jun 20 22:45:05 2024
Install Reason  : Installed as a dependency for another package
Install Script  : No
Validated By    : Signature

Name            : ca-certificates-mozilla
Version         : 3.111-1
Description     : Mozilla's set of trusted CA certificates
Architecture    : x86_64
URL             : https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS
Licenses        : MPL-2.0
Groups          : None
Provides        : None
Depends On      : ca-certificates-utils>=20181109-3
Optional Deps   : None
Required By     : ca-certificates
Optional For    : None
Conflicts With  : None
Replaces        : None
Installed Size  : 1062.55 KiB
Packager        : Jan Alexander Steffens (heftig) <heftig@archlinux.org>
Build Date      : Fri May 2 04:29:22 2025
Install Date    : Sat May 3 20:48:14 2025
Install Reason  : Installed as a dependency for another package
Install Script  : No
Validated By    : Signature

Name            : ca-certificates-utils
Version         : 20240618-1
Description     : Common CA certificates (utilities)
Architecture    : any
URL             : https://src.fedoraproject.org/rpms/ca-certificates
Licenses        : GPL-2.0-or-later
Groups          : None
Provides        : ca-certificates  ca-certificates-java
Depends On      : bash  coreutils  findutils  p11-kit
Optional Deps   : None
Required By     : ca-certificates-mozilla  curl  jdk-openjdk  jdk17-openjdk  neon  python-certifi  python-requests  qca-qt6
Optional For    : lib32-openssl  openssl  wget
Conflicts With  : ca-certificates-java
Replaces        : ca-certificates-java
Installed Size  : 13.63 KiB
Packager        : Jan Alexander Steffens (heftig) <heftig@archlinux.org>
Build Date      : Tue Jun 18 20:36:40 2024
Install Date    : Thu Jun 20 22:45:05 2024
Install Reason  : Installed as a dependency for another package
Install Script  : Yes
Validated By    : Signature

loqs · 2025-05-14 00:16:11

Looking at https://github.com/nss-dev/nss/commits/ … rtdata.txt no certificates were removed in NSS_3_111_RTM. Could it be a strange interaction introduced by https://github.com/nss-dev/nss/commit/9 … 1211fac3bf replacing CKT_NSS_TRUSTED_DELEGATOR with CKT_NSS_MUST_VERIFY_TRUST for certificate authorities?

sevendogs · 2025-05-14 01:59:18

Ralpatino wrote:

So yes this seems to be the solution. The "ca-certificates-mozilla" package version 311 is missing a CA cert that is served in cloudflare ca chains. Downgrading to 310 like the op in the other thread did solved it.
Thank you @seth, @cryptearth, @sevendogs and @mkbodanu4 for helping (:

Glad you got it sorted!

loqs · 2025-05-14 17:28:56

Has anyone affected reported the issue to any upstream? How is using an old version of the ca-certificates-mozilla package considered a fix rather than a work around?

Arch Linux

#1 2025-05-13 13:20:12

'unable to get local issuer certificate' on connect t specific website

#2 2025-05-13 13:29:44

Re: 'unable to get local issuer certificate' on connect t specific website

#3 2025-05-13 14:13:56

Re: 'unable to get local issuer certificate' on connect t specific website

#4 2025-05-13 14:32:52

Re: 'unable to get local issuer certificate' on connect t specific website

#5 2025-05-13 14:45:59

Re: 'unable to get local issuer certificate' on connect t specific website

#6 2025-05-13 15:03:34

Re: 'unable to get local issuer certificate' on connect t specific website

#7 2025-05-13 15:55:24

Re: 'unable to get local issuer certificate' on connect t specific website

#8 2025-05-13 19:51:55

Re: 'unable to get local issuer certificate' on connect t specific website

#9 2025-05-13 20:07:54

Re: 'unable to get local issuer certificate' on connect t specific website

#10 2025-05-13 20:13:52

Re: 'unable to get local issuer certificate' on connect t specific website

#11 2025-05-13 20:26:42

Re: 'unable to get local issuer certificate' on connect t specific website

#12 2025-05-13 20:36:19

Re: 'unable to get local issuer certificate' on connect t specific website

#13 2025-05-13 20:44:38

Re: 'unable to get local issuer certificate' on connect t specific website

#14 2025-05-13 20:47:42

Re: 'unable to get local issuer certificate' on connect t specific website

#15 2025-05-13 20:51:25

Re: 'unable to get local issuer certificate' on connect t specific website

#16 2025-05-13 20:55:57

Re: 'unable to get local issuer certificate' on connect t specific website

#17 2025-05-13 21:00:09

Re: 'unable to get local issuer certificate' on connect t specific website

#18 2025-05-13 21:02:54

Re: 'unable to get local issuer certificate' on connect t specific website

#19 2025-05-13 21:04:22

Re: 'unable to get local issuer certificate' on connect t specific website

#20 2025-05-13 21:10:28

Re: 'unable to get local issuer certificate' on connect t specific website

#21 2025-05-13 22:43:11

Re: 'unable to get local issuer certificate' on connect t specific website

#22 2025-05-13 22:44:17

Re: 'unable to get local issuer certificate' on connect t specific website

#23 2025-05-14 00:16:11

Re: 'unable to get local issuer certificate' on connect t specific website

#24 2025-05-14 01:59:18

Re: 'unable to get local issuer certificate' on connect t specific website

#25 2025-05-14 17:28:56

Re: 'unable to get local issuer certificate' on connect t specific website

Board footer