search cancel

"unable to get local issuer certificate" Errors After Certificate Renewal

book

Article ID: 202426

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

After renewing an SSL certificate, we see the following errors in the Siteminder Policy Server logs:


depth=0 C = <Country>, ST = <City>, L = <State>, O = <Company>, CN = <user>.<domain>.<tld>

verify error:num=20:unable to get local issuer certificate

 

depth=0 C = <Country>, ST = <City>, L = <State>, O = <Company>, CN = <user>.<domain>.<tld>

verify error:num=21:unable to verify the first certificate

 

-----END CERTIFICATE-----

subject=/C=<Country>/ST=<City>/L=<State>/O=<Company>/CN=<user>.<domain>.<tld>

issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=RapidSSL TLS RSA CA G1

---

No client certificate CA names sent

Server Temp Key: ECDH, secp384r1, 384 bits

Environment

Release :ANY

Components :  Federation, SSL, Policy Server

Resolution

The most common cause of the "unable to get local issuer certificate" error is an incomplete cert chain, such as (most commonly) missing the intermediate certificate.  Ensure the entire certificate chain is present.