SSL Certificate "Unable to get local issuer certificate"


I think Mail-In-A-Box is wonderful. It’s something that we really need and should maintain for a long time.

I just bought an SSL Certificate from Comodo and a VPS to set up email. Everything seems to be working great. Emails come in and go out very quickly, and Exchange support is really great.

However, I still get this issue in the systems check:

The SSL certificate has a problem:/SOME-PATH.pem
C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN
= COMODO RSA Domain Validation Secure Server CA
error 20 at 1 depth lookup:unable to get local issuer certificate

Is there something I need to do to fix this? I renamed the self-signed certificate that came with the installation and still have it around. Does that need to go into the certificate PEM file along with rest of my CAs and CRTs?


When you visit the domain in your browser, does it work without any certificate problem?

Hi Josh, thanks for your quick reply.

During me research, I realized that I had forgotten to include one of the four certificates that NameCheap/Comodo issued me. Once I included that into the PEM, everything worked great. And to answer your question, yes, things seemed to work just fine before I fixed that issue.

I do have this issue (and maybe it would be useful to include in the beginners guide) that is not covered by the SSL Certificate. Maybe this is common knowledge but at least not to me. Upon research, I learned that you need a separate wildcard SSL Certificate for every level of sub-domain.

This is perfectly fine, however, as I can just point IMAP/SMTP/Exchange/WWW/Webmail at my root domain and use box when absolutely necessary.


Did you use the CSR provided by the control panel?

Yes I did.

I read that SSL Certificates by nature cannot-according-to-spec apply to more than one level of the domain. Is that not true?


The CSR provided by the control panel would have specified, so the certificate should cover that. It might not cover, but it should cover

Normally a certificate covers one exact domain name, yes. A multi-domain certificate can cover multiple domains. A wilcard certificate covers a domain and one level of subdomains under it.

That’s interesting. The certificate I got was Comodo PositiveSSL. Maybe it only covers the root.


Did it ask for a domain name along the way? Maybe you provided the domain but not the subdomain?

Same problem here with RapidSSL

I added the Intermediate CA from RapidSSL into ssl_certificate.pem

Added the Bundled CA Version (PEM) from:

Copy and save it into intermediate-ca.pem

Than adding it into
cat intermediate-ca.pem >> ssl_certificate.pem

Hope this helps