Error: unable to get local issuer certificate

jigneshk5 · February 21, 2023, 11:27pm

I’m using EMQ X Broker 4.4.14 zip version in Ubuntu 20.04 . I setup the MQTT TLS setup with these configuration:
listener.ssl.external.keyfile = etc/letsencrypt/privkey.pem
listener.ssl.external.certfile = etc/letsencrypt/fullchain.pem
listener.ssl.external.cacertfile = etc/letsencrypt/ca.pem

privkey and fullchain are copied from /etc/letsencrypt/live/{domain}
ca.pem is merge of ISRG_Root_X1.pem and chain.pem (from letsencrypt)

But I’m getting the following logs in emqx.log.1:
2023-02-21T22:34:21.390149+00:00 [error] supervisor: ‘esockd_connection_sup - <0.1802.0>’, errorContext: connection_shutdown, reason: {ssl_error,{tls_alert,{unknown_ca,“TLS server: In state wait_cert at ssl_handshake.erl:2105 generated SERVER ALERT: Fatal - Unknown CA\n”}}}, offender: [{pid,<0.4875.0>},{name,connection},{mfargs,{emqx_connection,start_link,[[{deflate_options,[]},{crl_options,[{crl_check_enabled,false},{crl_cache_urls,[]}]},{ocsp_options,[{ocsp_stapling_enabled,false},{ocsp_refresh_interval,300000},{ocsp_refresh_http_timeout,15000}]},{max_conn_rate,500},{active_n,100},{zone,external},{proxy_address_header,<<>>},{proxy_port_header,<<>>},{supported_subprotocols,[]}]]}}]

Getting this error added in log every 1 second. Please help me fix this issue.

Maverick · February 22, 2023, 7:11am

You can find an explanation for this error in the FAQ document, which is usually caused by the client’s certificate configuration being incorrect.

Is the cacertfile you configure in EMQX the root CA certificate of the client certificate?

ronaldgevern · June 14, 2023, 12:55am

This SSL error occurs when the SSL/TLS client cannot verify the server’s certificate due to the absence of the issuer’s certificate in its trusted store. To resolve this, ensure the system time and date are accurate, update the trusted CA certificate bundle, explicitly specify the CA certificate if available, verify the certificate chain for completeness, and check for any network connectivity issues caused by firewalls or proxies. These steps will help address the SSL error “unable to get local issuer certificate” and enable successful establishment of secure connections.