SSL unable to get local issuer

If you have installed an SSL certificate and appears to work fine in the browser, but does not work on places like the W3 feeds validator or iTunes Connect, a good way to debug it is to use cURL from the command line.

You may get back an “unable to get local issuer certificate” error.

$ curl https://www.your-domain.com/
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

If so, this means that you have successfully installed your SSL certificate, but you have not included the intermediate certificates. These form an essential part of the chain up to the root certificate and need to be included when you install it.

They are typically distributed in .bundle files that come with your .crt file.

cURL SSLv3 calls failing

If you try and connect over HTTPS/SSL with cURL you may get an error similar to:

sslv3 alert handshake failure

Or:

Unknown SSL protocol error in connection

If you cannot see a descriptive error message, use –verbose to report everything.

The cause of this often that hosts have disabled SSLv3 because it has now been compromised. The solution is to use TLS, which is a newer more secure protocol.

curl --tlsv1 --verbose hostname

If you are using cURL in PHP you can change the SSL version to use TLSv1.2.

CURLOPT_SSLVERSION => 6

You should then be able to make the cURL request over SSL successfully.

cPanel certificates expiring

If you use self-signed certificates on cPanel and WHM, they will still expire each year. You may find yourself getting an email such as:

The SSL certificate for ftp on host.example.com will expire in less than 30 days.

Your server’s SSL certificate for ftp will expire in less than 30 days. You need to install a new certificate as soon as possible. You can install a new certificate using WHM’s “Manage Service SSL Certificates” interface: https://host.example.com:2087/scripts2/manageservicecrts (Main >> Service Configuration >> Manage Service SSL Certificates).

To resolve this, click the link as suggested by the email. Then, next to each service, click “Reset Certificate”. This will generate a fresh certificate and automatically install it.