HTTPS filtering is a must for any network admin these days and if you implement HTTPS filtering using SSL Bumped Squid you have surely seen the famous (and not especially clear formulated) X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY error.

The main reason for this error is very simple – one (or all) certificates presented by the remote HTTPS site you are browsing are not present in the certificate store on the host your Squid proxy runs on. And because of that Squid cannot generate mimicked SSL certificate required to perform HTTPS filtering.

Let’s take the for example. If you access from your browser directly (FF or Chrome or even IE) you will not see any errors. If you do the same through SSL Bumping Squid proxy running on Ubuntu 14.04 LTS or CentOS 7 the following error page will be shown in the browser.


If you take a closer look at the error page then it becomes clear that the following certificate authority is missing:

/C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA

Let’s add this certificate into our OS certificate storage. To do this go to Thawte web site and download the SSL123_SecondaryCA.pem. Please note we are downloading ONLY intermediate certificate and NOT the bundle as root Thawte certificate seems to be present in all operating systems.


Then for CentOS 7:

  1. Open root terminal and copy the SSL123_SecondaryCA.pem into /etc/pki/ca-trust/source/anchors/ folder.
  2. Run the following command to rebuild the certificate bundle update-ca-trust. It should finish without any output.
  3. Restart Squid by running systemctl restart squid.

And for Ubuntu 14.04 LTS (or Debian 7):

  1. Open root terminal and copy the SSL123_SecondaryCA.pem (in is in the PEM format that has ----BEGIN CERTIFICATE---- in it) into /usr/local/share/ca-certificates/SSL123_SecondaryCA.crt (note the extension needs to be crt not PEM).
  2. Run the following command to rebuild the certificate store sudo update-ca-certificates. See this article for more information.
  3. Restart Squid by running service squid3 restart.

Open your browser and see that started to work normally.


To remove this intermediate certificate from the certificate bundle in CentOS 7, remove the certificate file from /etc/pki/ca-trust/source/anchors​ and run the update-ca-trust again. Do not forget to restart Squid!

If you need to do the same on Ubuntu 14.04, remove this certificate from /usr/local/share/ca-certificates, run sudo update-ca-certificates and finally remove all dangling links to non existing certificate in /etc/ssl/certs folder. We could not find the easier way!

Best regards,
Diladele Dev Team

About sichent

This entry was posted in HTTPS, Linux, squid. Bookmark the permalink.

2 Responses to Fixing X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY on SSL Bumping Squid

  1. Lexus34 says:

    Please tell me how to install SSL123_SecondaryCA on pfsense, I added through system_camanager and restarted squid3, but still get the error .

    • sichent says:

      Unfortunately you need to contact pfSense developers (or squid package maintainers) to find out how this can be done.

Comments are closed.