Today, all HTTPS connections outside of my browser suddenly started failing with the error "SSL certificate problem: unable to get local issuer certificate." This issue affects all tools, including Python's requests, Node's fetch, and curl, etc.
I expected the HTTPS connections to work as usual, without any certificate issues. Here are the details for each tool I tested:
❯ curl https://stackoverflow.com
curl: (35) schannel: next InitializeSecurityContext failed: CRYPT_E_NO_REVOCATION_CHECK (0x80092012)
Even when using WSL, the Linux environment also encounters the same issue.
$ curl https://stackoverflow.com
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
> fetch("https://stackoverflow.com")
Promise {
<pending>,
[Symbol(async_id_symbol)]: 108,
[Symbol(trigger_async_id_symbol)]: 86
}
> Uncaught [TypeError: fetch failed] {
[cause]: Error: unable to get local issuer certificate
at TLSSocket.onConnectSecure (node:_tls_wrap:1674:34)
at TLSSocket.emit (node:events:519:28)
at TLSSocket.emit (node:domain:551:15)
at TLSSocket._finishInit (node:_tls_wrap:1085:8)
at ssl.onhandshakedone (node:_tls_wrap:871:12)
at TLSWrap.callbackTrampoline (node:internal/async_hooks:130:17) {
code: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY'
}
}
To diagnose the problem, I ran the following OpenSSL command:
openssl s_client -connect google.com:443
Connecting to 2404:6800:4012:2::200e
CONNECTED(000001F8)
depth=2 C=US, O=Google Trust Services LLC, CN=GTS Root R1
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C=US, O=Google Trust Services, CN=WR2
verify return:1
depth=0 CN=*.google.com
verify return:1
---
Certificate chain
0 s:CN=*.google.com
i:C=US, O=Google Trust Services, CN=WR2
a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
v:NotBefore: Jul 1 06:35:43 2024 GMT; NotAfter: Sep 23 06:35:42 2024 GMT
1 s:C=US, O=Google Trust Services, CN=WR2
i:C=US, O=Google Trust Services LLC, CN=GTS Root R1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Dec 13 09:00:00 2023 GMT; NotAfter: Feb 20 14:00:00 2029 GMT
2 s:C=US, O=Google Trust Services LLC, CN=GTS Root R1
i:C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Jun 19 00:00:42 2020 GMT; NotAfter: Jan 28 00:00:42 2028 GMT
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=CN=*.google.com
issuer=C=US, O=Google Trust Services, CN=WR2
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 6552 bytes and written 398 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)
---
I have tried updating the CA certificates on my system, but the issue persists. I used the following command and manually imported the generated certificates:
Certutil.exe -generateSSTFromWU roots.sst
Most solutions I found online suggest disabling SSL checks for specific tools like GIT or Node.js. However, my issue affects all applications except for browsers.
Any help or suggestions would be greatly appreciated. Thank you!
I have experienced the same issue with the Avast antivirus software. I found out that it's a bug See: (https://answers.microsoft.com/en-us/windowsclient/forum/all/avast-curl-ssl-revocation-problem/a4fca682-55ec-499d-bb71-208862d617ea).
I have switched to another antivirus software (with a different engine) and the curl command started working again.
Also, programs with http connection worked on Eclipse IDE, but not on VS code, but that could be caused by a different error. (I didn't test the programs on Eclipse IDE before I switched antivirus software.) Or you can wait for the bug to get fixed. If you decide to switch antivirus software, make sure you do it safely.