All HTTPS connections outside of browser fail with "SSL certificate problem: unable to get local issuer certificate"

Today, all HTTPS connections outside of my browser suddenly started failing with the error "SSL certificate problem: unable to get local issuer certificate." This issue affects all tools, including Python's requests, Node's fetch, and curl, etc.

I expected the HTTPS connections to work as usual, without any certificate issues. Here are the details for each tool I tested:

curl with Windows

❯ curl https://stackoverflow.comcurl: (35) schannel: next InitializeSecurityContext failed: CRYPT_E_NO_REVOCATION_CHECK (0x80092012)

Even when using WSL, the Linux environment also encounters the same issue.

curl with WSL

$ curl https://stackoverflow.comcurl: (60) SSL certificate problem: unable to get local issuer certificateMore details here: https://curl.se/docs/sslcerts.htmlcurl failed to verify the legitimacy of the server and therefore could notestablish a secure connection to it. To learn more about this situation andhow to fix it, please visit the web page mentioned above.

fetch with Node.js

> fetch("https://stackoverflow.com")Promise {<pending>,  [Symbol(async_id_symbol)]: 108,  [Symbol(trigger_async_id_symbol)]: 86}> Uncaught [TypeError: fetch failed] {  [cause]: Error: unable to get local issuer certificate      at TLSSocket.onConnectSecure (node:_tls_wrap:1674:34)      at TLSSocket.emit (node:events:519:28)      at TLSSocket.emit (node:domain:551:15)      at TLSSocket._finishInit (node:_tls_wrap:1085:8)      at ssl.onhandshakedone (node:_tls_wrap:871:12)      at TLSWrap.callbackTrampoline (node:internal/async_hooks:130:17) {    code: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY'  }}

To diagnose the problem, I ran the following OpenSSL command:

openssl s_client -connect google.com:443

The output I received was:

Connecting to 2404:6800:4012:2::200eCONNECTED(000001F8)depth=2 C=US, O=Google Trust Services LLC, CN=GTS Root R1verify error:num=20:unable to get local issuer certificateverify return:1depth=1 C=US, O=Google Trust Services, CN=WR2verify return:1depth=0 CN=*.google.comverify return:1---Certificate chain 0 s:CN=*.google.com   i:C=US, O=Google Trust Services, CN=WR2   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256   v:NotBefore: Jul  1 06:35:43 2024 GMT; NotAfter: Sep 23 06:35:42 2024 GMT 1 s:C=US, O=Google Trust Services, CN=WR2   i:C=US, O=Google Trust Services LLC, CN=GTS Root R1   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256   v:NotBefore: Dec 13 09:00:00 2023 GMT; NotAfter: Feb 20 14:00:00 2029 GMT 2 s:C=US, O=Google Trust Services LLC, CN=GTS Root R1   i:C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256   v:NotBefore: Jun 19 00:00:42 2020 GMT; NotAfter: Jan 28 00:00:42 2028 GMTServer certificate-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----subject=CN=*.google.comissuer=C=US, O=Google Trust Services, CN=WR2---No client certificate CA names sentPeer signing digest: SHA256Peer signature type: ECDSAServer Temp Key: X25519, 253 bits---SSL handshake has read 6552 bytes and written 398 bytesVerification error: unable to get local issuer certificate---New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384Server public key is 256 bitThis TLS version forbids renegotiation.Compression: NONEExpansion: NONENo ALPN negotiatedEarly data was not sentVerify return code: 20 (unable to get local issuer certificate)---

What I have tried so far:

I have tried updating the CA certificates on my system, but the issue persists. I used the following command and manually imported the generated certificates:

Certutil.exe -generateSSTFromWU roots.sst

Most solutions I found online suggest disabling SSL checks for specific tools like GIT or Node.js. However, my issue affects all applications except for browsers.

Any help or suggestions would be greatly appreciated. Thank you!