New let's encrypt error: SSL certificate problem: unable to get local issuer certificate [RESOLVED]

I have not run into this one before with let’s encrypt.

asterisk 13

I have a let’s encrypt certificate that is expiring. When I try to update it, I get this error:
There was an error updating the certificate: Curl: SSL certificate problem: unable to get local issuer certificate

I cannot find this issue elsewhere on the forums, does anyone else know how to resolve this?

1 Like

Hi @wzkds

I think you have to check a couple of thinks.
1- certman modue version and update.
2- FreePBX Firewall allow Port 80 for Lets Encrypt ?
3- FreePBX Firewall Extra Service Allow Lets Encrypt from Internet access.
4- FreePBX Port Manager check Lets Encrypt port 80 ? ( change FreePBX GUI access port to 8080 )
5- Check your Firewall port 80 TCP → NAT or PortForward to your PBX IP

Pls check below link…



Thanks For the reply. Port 80 is good, and nothing has changed since the letsencrypt certificate originally updated (which was originally setup AFTER LE required port 80 open for all.

I just got another PBX that failed certificate update and expired TODAY, it is not behind a firewall, iptables only, and it is also having this issue

There was an error updating certificate “[FQDN noted here]”: Curl: SSL certificate problem: unable to get local issuer certificate

This is a larger issue I expect will affect others on 13 shortly.

Hi @wzkds

Thanks for reply, You have to look Module update i think you are using FreePBX 13 vs. Check module updates and rest of settings ^^.

Must be something blocks LE SSL… Check Below settings again:
1-Firewall to not block TCP port 80
2- FreePBX --> Port Management ( must allow and redirect Port 80 to LE )
3- FreePBX --> Firewall --> Extra Service --> LE Allowed for Internet access.
4- Be sure FreePBX Hostname same as LE hostname.

I guess you have old module issue… but just guessing.



@wzkds We came across the same issue. Looks like the issue is not a module error, the error comes from curl, and it will happen with any connection from the PBX in question to a site with a LE certificate. The CA bundle on FPBX13 seems to be from 2015, and does not have the latest LE Root CA (probably still referencing to the one they decommissioned not too long ago). FPBX13 is EOL and is not getting updates any longer.

To mitigate this:

  1. SSH into the PBX, and run rm /etc/pki/tls/certs/ca-bundle.crt to remove the symlink to /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem (provided by the CA-certificates package).

  2. Once the symlink is removed, run curl -o /etc/pki/tls/certs/ca-bundle.crt -k.

    WARNING: -k disables certificate check because you don’t have certificate to check against at this moment. You can also download the file and upload to the PBX over SFTP if you prefer.

  3. To check if the new CA-Bundle works, run curl

NOTE: To undo what we just did, simply run ln -s /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem /etc/pki/tls/certs/ca-bundle.crt - this creates the symlink as it was before.

Hope that helps!


Thank you Ben for the assist I will give this a try right now.

Yes, that resolved it, thanks very much!


This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.