Local Community

Unable to get local issuer certificate

Issue Summary

I updated my company laptop to Monterey 12.6.1 and ran into the invalid certificate issues discussed on numerous other posts. I updated to Local 6.5.2+6204, cleared out all of the certs in both the directory and in the keychain. I rebooted Local and all of the new certs were created and I set them in the keychain to Always Trust. The problem in Chrome still persisted, so I cleared everything out of Chrome that I had the option to clear out and the problem still persisted. I typed in the “thisisunsafe” cheat code and it worked.

So, I am passed that issue. Now, I am experiencing a bunch of deprecation warnings due to being forced to upgrade to PHP 8.1.9 so I selected PHP 7.4.30 and when Local attempted to download that version an error popped up “Error: unable to get the local issuer certificate”. I’ve got work I need to do, so I figured I would just try to resolve the deprecation warning by updating the plugins that are the source of the warnings, only when I am in the admin clicking on the download update link it says the same warning “unable to get local issuer certificate”.

I printed out the configured source of the certificates and got this:
Array
(
[default_cert_file] => /usr/local/etc/openssl@1.1/cert.pem
[default_cert_file_env] => SSL_CERT_FILE
[default_cert_dir] => /usr/local/etc/openssl@1.1/certs
[default_cert_dir_env] => SSL_CERT_DIR
[default_private_dir] => /usr/local/etc/openssl@1.1/private
[default_default_cert_area] => /usr/local/etc/openssl@1.1
[ini_cafile] =>
[ini_capath] =>
)

I navigated to /usr/local/etc and @openssl@1.1 directory doesn’t even exist. I created a symlink pointing to my machine’s actual cert directory in /etc/ssl and still the problem persists.

Any ideas?

Oh no, I really don’t like how macs have changed up things lately!

Ideally you can switch back to PHP 8.1.9, and the latest version of the PHP service. That should have updated configuration to make remote connections over HTTPS.

But if you really need to mess with the underlying configuration, you’ll likely need to use Homebrew and be aware of differences between intel and arm64 macs. Hope this helps:

Is your machine an M1 mac?

The paths that you mention look like where the older versions of Local’s PHP binaries are l looking for openssl config, however, if you’re on an M1 mac, Homebrew (what we use to link up pre-compiled binaries of Openssl) stores things in a different location.

If you are on an M1 mac, but using the older version of PHP, you might be able to install openssl@1.1 via Homebrew, and then link that folder and cert.pem file into where the PHP config is expecting it.

The general process would be to install openssl@1.1 and then list out the files/folders in that directory:

brew install openssl@1.1
ls /opt/homebrew/etc/openssl@1.1/

From there, you can probably link in the various files.

which openssl
/usr/bin/openssl

openssl version -a
LibreSSL 2.8.3
built on: date not available
platform: information not available
options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: information not available
OPENSSLDIR: “/private/etc/ssl”

Is there a way to get Local to look for the existing version of OpenSSL instead of trying to install an older version in the expected path?