Error Code: [60: SSL certificate problem: unable to get local issuer certificate]

The CommServe server or the client computer cannot verify the website's certificate that is used for SSL because the SSL certificate is not added to the CA bundle.

Symptoms

A CommServe server or a client computer cannot establish communication with a resource on the internet through an HTTP proxy server. For example, a CommServe server cannot copy or download Commvault software and one of the following errors appear:

• Cannot resolve to IP with error: [60:SSL certificate problem: unable to get local issuer certificate]
• Failed to download file [CVMedia/DVDInfo.txt] to [D:\CV_SoftwareCache\DVDInfo.txt] with error:[SSL certificate problem: unable to get local issuer certificate]
• Failed to initialize Software Retrieval object with error code [60]

Causes

The HTTP proxy cannot verify the root certificate that is used for SSL because the SSL certificate is not added to the CA bundle.

Resolution

Export the root and intermediate certificates of the website on the machine that is facing this issue. Copy the contents of your SSL certificates to the curl-ca-bundle.crt file in the Commvault Base folder.

Before You Begin

• Back up the curl-ca-bundle.crt file.
• Verify that no jobs that communicate with a resource on the internet are running.

Procedure - Commvault Platform Release 2023 (11.30) and Previous Releases

1. Browse the website on the CommServe server or the client computer that has the problem.
2. From the site information, open the certificate information. The Certificate dialog box appears.
3. On the Certificate Path, select the root entity, and then click View Certificate. The Certificate dialog box of your SSL appears.
4. On the Details tab, click Copy to File. The Certificate Export wizard appears.
5. Click Next. The Export File Format page appears.
6. Select Base-64 encoded X.509 (.CER), and then click Next.
7. In the File name box, enter a name for the file. A file is created and saved. The Completing the Certificate Export Wizard page appears.
8. Click Finish. A dialog box appears saying that the export was successful.
9. Click OK.
10. In a text editor, open the file that you exported and copy the contents, including the header and footer.
11. Go to the software_installation_directory*ContentStore\Base* folder and open the curl-ca-bundle.crt file in a text editor.
12. Paste the exported file contents at the bottom of the curl-ca-bundle.crt file.
13. Save the curl-ca-bundle.crt file.

Procedure - Commvault Platform Release 2023E (11.32) and Later Releases

1. Browse the website on the CommServe server or the client computer that has the problem.
2. From the site information, open the certificate information. The Certificate dialog box appears.
3. On the Certificate Path, select the root entity, and then click View Certificate. The Certificate dialog box of your SSL appears.
4. On the Details tab, click Copy to File. The Certificate Export wizard appears.
5. Click Next. The Export File Format page appears.
6. Select Base-64 encoded X.509 (.CER), and then click Next.
7. In the File name box, enter a name for the file. A file is created and saved. The Completing the Certificate Export Wizard page appears.
8. Click Finish. A dialog box appears saying that the export was successful.
9. From the Windows Start menu, run the following command: mmc.exe The Microsoft Management Console appears.
10. Select File > Add/Remove Snap-in from the main menu.
11. Add the Certificates snap-in. When asked which certificates you want to manage, select Computer Account and Local computer.
12. From the console root, navigate to Certificates (Local Computer) > Trusted Root Certification Authorities > Certificates, right-click Certificates, and then select All Tasks > Import.
13. In the Certificate Import Wizard, click Next, select the file saved in Step 6 (above), click Next,  select Place all certificates in the following store as Trusted Root Certification Authorities, and then click Finish.

If the problem persists, repeat the preceding steps to add the intermediate certificates.

Procedure - Adding Custom Certificates For cURL Commands

Windows and UNIX: Will be using a new cert bundle, which is created by merging the Base folder cert bundle and from the registry:

[Certificates] > [certName: certValue (String)]

Example registry:

certificates/cert1 = "#### BEGIN CERTIFICATE ####  This is value for certificate #### END  CERTIFICATE ####"

This value will be appended to /certificates/cv-curl-ca-bundle.crt

This path is picked from the registry Base/sConfigDir and Base/dBaseHome respectively.

Additional information:

• Windows: Supporting Windows cert store
• UNIX: Merged bundle + OpenSSL bundle --> final merged bundle