📖 ~1 min read
Table of contents
Symptom & Impact
HTTPS operations fail due to untrusted chain, blocking package retrieval and API integrations.
Environment & Reproduction
After certificate renewal, intermediate CA changes, or migration to internal PKI endpoints.
Root Cause Analysis
Missing intermediate certificate, outdated trust store, or server presenting incomplete chain.
Quick Triage
Run `curl -Iv https://endpoint`, check system date/time, and inspect trust anchors under `/etc/pki/ca-trust`.
Step-by-Step Diagnosis
Use `openssl s_client -connect host:443 -showcerts`, `update-ca-trust check`, and `journalctl -p err –since -1h`.
Solution – Primary Fix
Certificate chain validates successfully and clients connect without `unable to get local issuer` errors.
Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.
Solution – Alternative Approaches
Install missing CA/intermediate certs, run `update-ca-trust`, and correct server-side fullchain configuration.
Verification & Acceptance Criteria
Retest with curl and `dnf makecache` where applicable; verify no TLS alerts in logs.
Rollback Plan
Remove recently added untrusted anchors and restore prior CA bundle from backup if required.
Prevention & Hardening
Track certificate expirations and automate chain validation in CI/CD and runtime probes.
Related Errors & Cross-Refs
`cp org-root-ca.crt /etc/pki/ca-trust/source/anchors/ && update-ca-trust && curl -I https://endpoint`
Related tutorial: View the step-by-step tutorial for rhel-8.
View all rhel-8 tutorials on the Tutorials Hub →
Browse all common problems & solutions on the Tutorials Hub.
References & Further Reading
RHEL 8 PKI and trust store docs plus Red Hat KB articles for TLS chain troubleshooting.
Need Expert Help?
If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today — we respond within one business day.
