SSL certificate problem: unable to get local issuer certificate

[DTA666-sys]

As of new update Beammp is broken on my system(Arch Linux), tried reinstalling. Nothing works.

[9/5/2025 18:46:52] [INFO] Attempting to authenticate... [9/5/2025 18:46:52] [ERROR] POST to https://auth.beammp.com/userlogin failed: SSL peer certificate or SSH remote key was not OK [9/5/2025 18:46:52] [ERROR] Curl error: SSL certificate problem: unable to get local issuer certificate [9/5/2025 18:46:52] [ERROR] Failed to communicate with the auth system!

[RouHim]

I'm facing the same weired SSL issues on Arch Linux

[12/5/2025 15:34:16] [INFO] Mod caching directory: ./Resources
[12/5/2025 15:34:16] [INFO] BeamMP Launcher v2.4.0
[12/5/2025 15:34:16] [ERROR] GET to https://backend.beammp.com/sha/launcher?branch=default&pk= failed: SSL peer certificate or SSH remote key was not OK
[12/5/2025 15:34:16] [ERROR] Curl error: SSL certificate problem: unable to get local issuer certificate
[12/5/2025 15:34:16] [ERROR] GET to https://backend.beammp.com/version/launcher?branch=default&pk= failed: SSL peer certificate or SSH remote key was not OK
[12/5/2025 15:34:16] [ERROR] Curl error: SSL certificate problem: unable to get local issuer certificate
[12/5/2025 15:34:16] [INFO] Launcher version is up to date. Latest version:
[12/5/2025 15:34:16] [INFO] IMPORTANT: You MUST keep this window open to play BeamMP!
[12/5/2025 15:34:16] [INFO] Game Version : 0.35.5.0
[12/5/2025 15:34:16] [INFO] Game user path: ~/.local/share/BeamNG.drive/0.35/
[12/5/2025 15:34:16] [ERROR] GET to https://backend.beammp.com/sha/mod?branch=default&pk= failed: SSL peer certificate or SSH remote key was not OK
[12/5/2025 15:34:16] [ERROR] Curl error: SSL certificate problem: unable to get local issuer certificate
[12/5/2025 15:34:32] [ERROR] Game Closed! launcher closing soon

[WiserTixx]

I believe this is caused by the mozilla trust store removing a root ca that we use. You might be able to resolve this for now by downgrading ca-certificates-mozilla to v310.

[Vermoot]

Can confirm, I had the same issue, on Arch as well, and downgrading ca-certificates-mozilla to 3.100-1 fixed it.

[OfficialLambdax]

Yeah this issue is known to us and affects a wide branch of websites. The cause of it lies in the mozillas root ca trust store, whom have invalidated 8 root certificates. One of them, the AAA Certificate Services is used and shipped by Cloudflare and since we are using Cloudflare it also affects us.

Or in other words, this is on Mozilla/Cloudflare to fix and they are to my knowledge aware about it.

In the meantime everyone reading this can try downgrading their root ca package. On arch linux this is ca-certificates-mozilla below v311.

However this affects everything that uses mozillas trust store and not all use the systems trust store.

[DTA666-sys]

Yeah this issue is known to us and affects a wide branch of websites. The cause of it lies in the mozillas root ca trust store, whom have invalidated 8 root certificates. One of them, the AAA Certificate Services is used and shipped by Cloudflare and since we are using Cloudflare it also affects us.

Or in other words, this is on Mozilla/Cloudflare to fix and they are to my knowledge aware about it.

In the meantime everyone reading this can try downgrading their root ca package. On arch linux this is ca-certificates-mozilla below v311.

However this affects everything that uses mozillas trust store and not all use the systems trust store.

lol no.

In accordance with the schedule above, and Bug #1937338 https://bugzilla.mozilla.org/show_bug.cgi?id=1937338, Mozilla will remove the websites trust bit for these eight (8) CAs on April 15, 2025:

This is normal and planned.

  Also, on or about April 15, 2025, Mozilla will remove the websites trust bit for these eight (8) CAs, which were created before 2006. If these CA certificates had the secure email trust bit, then they will still be trusted to secure email for end entity certificates issued up until April 14, 2028 (distrust for email after April 15, 2028). See https://wiki.mozilla.org/CA/Root_CA_Lifecycles

• this was posted 6 months before the planned removal of certificates.

Can someone just message me when the devs figure out how to use certificates properly?

[Andy3153]

Happens even for the Nix derivation I wrote to get this up and running on my NixOS system: https://github.com/Andy3153/my-nixpkgs/blob/217ffdaadaeee63632a5f1b304b17384422a088a/pkgs/beammp-launcher.nix

I had no idea y'all just didn't renew your certificates, this gave me a lot of trust issues in my packaging for the launcher, when it was all from this.

My god. Please fix. From the looks of it this is a security hole waiting to happen that y'all are making us do to keep playing.

[WiserTixx]

BeamMP uses cloudflare's certificates, we can't control what certificate cloudflare serves for us. As far as I'm aware we can't "just" renew our certificates.

[Andy3153]

What has to be done then? Is there anything anyone else but you, the maintainers of these servers, can do to fix it for everyone?

[Poignee-deporte]

Contact cloud flare (or the organization that is responsible for managing the certificates) and tell to get their shiz together

[invertedEcho]

Happens even for the Nix derivation I wrote to get this up and running on my NixOS system: https://github.com/Andy3153/my-nixpkgs/blob/217ffdaadaeee63632a5f1b304b17384422a088a/pkgs/beammp-launcher.nix

I had no idea y'all just didn't renew your certificates, this gave me a lot of trust issues in my packaging for the launcher, when it was all from this.

My god. Please fix. From the looks of it this is a security hole waiting to happen that y'all are making us do to keep playing.

I’ve recently opened a PR in nixpkgs to add beammp so you may install it through official nixpkg in the future https://github.com/NixOS/nixpkgs/pull/413940 Might give the PR a thumbs up to get it more seen?

[Andy3153]

I’ve recently opened a PR in nixpkgs to add beammp so you may install it through official nixpkg in the future NixOS/nixpkgs#413940 Might give the PR a thumbs up to get it more seen?

Pfft, you beat me to it. I wrote my derivation just before this issue hit, and I was planning on upstreaming it after this was solved. You got my thumbs up tho.

[DTA666-sys]

https://bbs.archlinux.org/viewtopic.php?id=305571&p=2

""beammp.com", but it seems they got their certificate from cloudflare, CF used https://ssl-tools.net/subjects/94b4fbe6 … e5cd855ea5 and that was issued by the CA certificate that had its website bit withdrawn. Don't ask me where to put the onus - essentially comodo should™ have migrated the certificate, ssl.com should™ have caught that they're about to lose the trust on their certificate and migrated theirs and beammp.com probably has only ever talked to cloudflare.

beammp.com (and others) need to know that they're about to lose https and then bubble this up"

Might want to contact CF and SSL.

[DekoDX]

a more secure alternative vs downgrading your ca-certificates is getting the certificate yourself, copying it to "/usr/share/ca-certificates/trust-source/anchors/", and running "sudo update-ca-trust". This was tested on arch linux by grabbing the pem file from the ssl-tools link above.

[DekoDX]

This solution might also work on fedora as well since arch seems to get it's "ca-certificates-utils" package from them.

[DTA666-sys]

a more secure alternative vs downgrading your ca-certificates is getting the certificate yourself, copying it to "/usr/share/ca-certificates/trust-source/anchors/", and running "sudo update-ca-trust". This was tested on arch linux by grabbing the pem file from the ssl-tools link above.

yep, works on Arch. hopefully the guys on the discord server will stop telling people to downgrade their certs now.

[scarburato]

you can also get the certificate with curl with

curl -w %{certs} https://auth.beammp.com/userlogin -k > beammp.pem

then copy the beammp.pem into the folder

[OfficialLambdax]

you can also get the certificate with curl with

curl -w %{certs} https://auth.beammp.com/userlogin -k > beammp.pem

then copy the beammp.pem into the folder

Prepare having todo this every other month because the main website certs dont live long

[Andy3153]

you can also get the certificate with curl with

curl -w %{certs} https://auth.beammp.com/userlogin -k > beammp.pem

then copy the beammp.pem into the folder

Thanks to you I made something for NixOS too. In case anyone wants to use it, it's here: https://github.com/Andy3153/nixos-rice/blob/78eddffc7ddb76d112ce3a2f23ea7f0436d51566/hosts/sparkle/configuration.nix#L12-L19

[Caitex212]

you can also get the certificate with curl with

curl -w %{certs} https://auth.beammp.com/userlogin -k > beammp.pem

then copy the beammp.pem into the folder

Hey, in what folder do I need to put that?

EDIT: I found it out with ChatGPT. For Fedora you can use this:

curl -w %{certs} https://auth.beammp.com/userlogin -k > beammp.pem
sudo cp beammp.pem /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust extract

[GreyXor]

my two cents: for arch linux it's under /usr/share/ca-certificates/trust-source/anchors

[Drenewoo]

Fix for now for fedora 42, need to downgrade ca-certificates:
sudo dnf install ca-certificates-0:2024.2.69_v8.0.401-5.fc42.noarch and sudo update-ca-trust extract. Worked for me, I also version locked it sudo dnf versionlock add ca-certificates

[DTA666-sys]

Fix for now for fedora 42, need to downgrade ca-certificates: sudo dnf install ca-certificates-0:2024.2.69_v8.0.401-5.fc42.noarch and sudo update-ca-trust extract. Worked for me, I also version locked it sudo dnf versionlock add ca-certificates

You don't need to downgrade. You can download the certs you need from SSL and put them in the proper folder.

[Josh9878]

is there a fix for this on windows?

[WiserTixx]

is there a fix for this on windows?

If you're experiencing this on windows something is most likely very wrong. Could you create a game support ticket in our discord server?

[mio-19]

For NixOS it is possibly to patch the program to use older cacert: https://github.com/mio-19/nurpkgs/commit/3f73d12ad6f8a6a95b239f9f7f9608b6775c66b8

[Andy3153]

For NixOS it is possibly to patch the program to use older cacert: mio-19/nurpkgs@3f73d12

Hey, I upstreamed beammp-launcher into Nixpkgs, you could make a pull request suggesting a change like this to the derivation, I'm actually curious if people will think it's a good idea. All I used to do to get this program working is this: https://github.com/Andy3153/nixos-rice/blob/78eddffc7ddb76d112ce3a2f23ea7f0436d51566/hosts/sparkle/configuration.nix#L12-L19

[mio-19]

For NixOS it is possibly to patch the program to use older cacert: mio-19/nurpkgs@3f73d12

Hey, I upstreamed beammp-launcher into Nixpkgs, you could make a pull request suggesting a change like this to the derivation, I'm actually curious if people will think it's a good idea. All I used to do to get this program working is this: https://github.com/Andy3153/nixos-rice/blob/78eddffc7ddb76d112ce3a2f23ea7f0436d51566/hosts/sparkle/configuration.nix#L12-L19

@Andy3153 I don't think it is a good idea to add an older cacert to official nixpkgs. adding the certificate of the website could work

[Andy3153]

@mio-19 Oh yeah, just looked at it a bit more, wouldn't sound like a good idea

[NedTheFossEnthusiast]

Still an issue as of 30th Nov 2025 on Cachy OS. What action, if any, can I take to help resolve this?

[Andy3153]

Still an issue as of 30th Nov 2025 on Cachy OS. What action, if any, can I take to help resolve this?

@NedTheFossEnthusiast https://github.com/BeamMP/BeamMP-Launcher/issues/186#issuecomment-3234734714