unable to get local issuer certificate

Common causes

• The server sends only its leaf certificate and omits the intermediate(s), so the client can’t link it to a trusted root.
• The client’s CA bundle is missing or out of date — common in minimal Docker images, fresh CI runners, or stale ca-certificates packages.
• The endpoint uses a private or internal CA whose root the client doesn’t trust.
• A TLS-intercepting proxy or antivirus is re-signing traffic with a root the client doesn’t have.

How to fix it

1. 1

   First find out which side is at fault. Inspect the chain the server actually sends — you should see the leaf AND at least one intermediate:

   openssl s_client -connect example.com:443 -servername example.com -showcerts </dev/null

2. 2

   If the intermediate is missing, fix the server: serve the full chain (leaf + intermediates). For Nginx, point ssl_certificate at fullchain.pem, not cert.pem, and reload.

3. 3

   If the chain is complete, the client’s CA store is the problem. Refresh it:

   # Debian/Ubuntu
   sudo apt-get install --reinstall -y ca-certificates && sudo update-ca-certificates
   # Alpine
   apk add --no-cache ca-certificates && update-ca-certificates

4. 4

   When you can’t change the system store, point the specific tool at the CA bundle. (For a private/corporate root, set the bundle below; only if a *public* root is missing does pip install --upgrade certifi or updating ca-certificates help.)

   curl --cacert /path/to/ca-bundle.crt https://example.com
   git config --global http.sslCAInfo /path/to/ca-bundle.crt
   export REQUESTS_CA_BUNDLE=/path/to/ca-bundle.crt   # Python (requests)
   export NODE_EXTRA_CA_CERTS=/path/to/ca-bundle.crt

5. 5

   Do not disable verification (curl -k, git -c http.sslVerify=false, NODE_TLS_REJECT_UNAUTHORIZED=0) on anything that matters — it hides exactly the kind of interception this error exists to catch.