How to fix X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY Squid error

Important

Web Safety 7.3+ allows you to fix this error automatically. You just need to navigate to UI / Squid / HTTPS tab and set the [X] Try to automatically download missing intermediate HTTPS certificates checkbox. Consider reading the article anyway - just to understand why this error occurs in the first place.

HTTPS filtering is a must for any network admin these days and if you implement HTTPS filtering using SSL Bumped Squid you have surely seen the X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY error.

The main reason for this error is very simple – one (or some) certificates presented by the remote HTTPS site are not present in the certificate store of Squid proxy server. Because of that Squid cannot generate mimicked SSL certificate required to perform HTTPS filtering.

Let’s take https://incomplete-chain.badssl.com for example. If you access it directly (FF or Chrome or even IE) you will not see any errors. If you do the same through HTTPS filtering proxy the following error page will be appear in the browser.

../../_images/unable_to_get_issuer_cert_locally.png

If you take a closer look at the error page then it becomes clear that the following certificate authority is missing:

COMODO RSA Domain Validation Secure Server CA

It is missing because the administrator of the site incomplete-chain.badssl.com has configured the web server incorrectly - according to current web standards the server MUST present all chain of certificates up to (but not including) the root certificate. In this case only the site certificate is presented by the web server and other certificates in the chain are left away.

To prove that we can go to online SSL Server Site Check Tool at https://www.ssllabs.com/ssltest/index.html. Type the incomplete-chain.badssl.com into the search field and click Submit. The tool will respond with results showing “Incomplete Chain” error as inidicated on the following screenshot.

../../_images/incomplete_chain1.png

Scroll the result page down and see what intermediate certificate is missing from the chain.

../../_images/incomplete_chain2.png

Note

This page explains more about what intermediate certificates are https://www.godaddy.com/help/what-is-an-intermediate-certificate-868.

To fix this X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY we must manually download the missing certificate and install it into the system.

Which Certificate to Download?

To find out which missing certificate to download, expand the incomplete chain button from SSL Labs result page, and manually take only the missing certificate from the output. Save its contents as a missing.pem file.

../../_images/ssllabs_download1.png ../../_images/ssllabs_download2.png

Now we need to add it to the proxy system. There are two possible ways to do it.

Way 2. Install Missing Certificate into System Certificate Storage

It is also possible to add this certificate to operating system’s certificate storage. This method is generally not recommended because adding an intermediate certificate to the root certificate storage makes is “globally trusted” and this usually too much for the purposes of HTTPS filtering.

Install Intermediate SSL Certificate on CentOS 7

  • Ensure intermediate certificate ends with .pem (this is required for CentOS 7).

  • Open root terminal and copy the certificate into /etc/pki/ca-trust/source/anchors/ folder.

  • Run update-ca-trust command to rebuild the system certificate bundle. It should finish without any output.

  • Restart Squid by running systemctl restart squid.

Note

To remove this manually installed intermediate certificate from the certificate bundle in CentOS 7, remove the certificate file from /etc/pki/ca-trust/source/anchors​ and run the update-ca-trust again. Do not forget to restart Squid!

Install Intermediate SSL Certificate on Ubuntu (Debian)

  • Open root terminal and copy the certificate into /usr/local/share/ca-certificates/crt. Please note, unlike in CentOS 7, the file extension needs to be crt!

  • Run sudo update-ca-certificates command to rebuild the system certificate store.

  • Restart Squid by running systemctl restart squid.

../../_images/ubuntu_update_ca_certificates.png

After that access to https://incomplete-chain.badssl.com will be successful.

../../_images/incomplete_chain_ok.png

Note

To remove this manually installed intermediate certificate from the certificate bundle, remove this certificate from /usr/local/share/ca-certificates, run sudo update-ca-certificates and finally remove all dangling links to non existing certificate in /etc/ssl/certs folder.