The error message “curl: (60) SSL certificate problem: unable to get local issuer certificate” typically indicates a problem with the certificate of the server you’re trying to connect to or the certificate chain leading up to a trusted certificate authority.
To establish a secure connection, curl tries to verify the server’s certificate against a list of trusted certificate authorities.
It also checks if the server’s certificate is signed by a trusted certificate authority (CA). If the server’s certificate isn’t signed by a trusted CA, or if curl can’t find the CA in its list, you’ll see the error message you provided.
The error can also occur if an intermediate certificate isn’t installed correctly on the server or if the chain of trust can’t be established up to a root CA.
Here are a few ways to troubleshoot this issue:
1. Update your certificate store: It’s possible that the list of certificate authorities curl is using is outdated. You can update this list by updating your operating system or explicitly updating the certificate store.
2. Check the server’s certificate: If you control the server you’re trying to connect to, you should check that the server’s certificate is correctly installed, and that all necessary intermediate certificates are present.
3. Use a different certificate authority: If you control the server, you can also consider getting your certificate from a different certificate authority, one that is present in the certificate store on the client side.
4. Ignore the certificate check: As a last resort, you can tell curl to ignore the certificate check with the -k or –insecure option. However, this makes your connection insecure and susceptible to man-in-the-middle attacks, so it should never be used in a production environment. Use this only for debugging purposes.
Please note that the specifics of how to perform these actions can vary depending on your operating system, the server software, the certificate authority, and other factors.
Table of Contents
Enable verbose logging in curl command
To troubleshoot the curl: (60) SSL certificate problem, it’s a good idea to enable verbose logging in curl. Verbose logging provides more details about the request and response, which can help identify the cause of the problem.
You can enable verbose output from curl by adding the -v or –verbose option to your curl command:
curl -v https://example.com
This will display detailed information about the request and the response, including SSL connection setup.
Pay close attention to the SSL handshake information, this is where SSL problems like certificate validation issues are most likely to appear.
If the certificate is not trusted, the handshake will fail, and curl will return the curl: (60) SSL certificate problem error message.
Update your certificate store
The process to update your certificate store depends on your operating system.
For Linux systems that use APT (like Ubuntu or Debian), you can update the certificate store with the following commands:
sudo apt-get update
sudo apt-get upgrade ca-certificates
For Red Hat based systems (like CentOS), you can use:
sudo yum update ca-certificates
For macOS, the system handles updates to the certificate store automatically in the background. So if you’re using the version of curl that comes with macOS, it should always be up to date. However, if you’ve installed your own version of curl, you may need to update that specifically.
For Windows, the certificate store is typically updated via Windows Update. So ensuring your system is up to date should ensure your certificate store is up to date.
Remember, it’s always a good idea to back up your system before performing any kind of updates, in case something goes wrong.
Please note that these commands might require administrator privileges.
Check more about how to update CA certificate
Check the server’s certificate
Checking a server’s SSL certificate involves examining the certificate’s details such as its issuer, the names it’s valid for, its validity dates, and the chain of trust up to a root certificate authority. You can do this using several methods:
1. Using a web browser: This is the simplest method for a website with HTTPS:
Visit the website in question.
Click on the padlock icon in the URL bar.
Click on “Certificate” or “View Certificates” to see details about the certificate.
The exact steps depend on the browser you’re using.
2. Using the openssl command: This tool is typically available on Unix-based systems. You can use it to download and display the certificate:
echo | openssl s_client -servername hostname -connect host:port 2>/dev/null | openssl x509 -noout -text
Replace “hostname” with the domain name of the server, and “host:port” with the server’s address and port number (typically 443 for HTTPS). This command shows the certificate’s details in text form.
3. Using online SSL checkers: There are many free online tools that can check a website’s SSL certificate and its chain of trust.
These tools can often provide more user-friendly information than the openssl command. Examples include SSL Labs’ SSL Server Test and DigiCert’s SSL Installation Diagnostics Tool.
Remember that these methods only allow you to inspect the certificate. If there’s a problem with the certificate or its chain of trust, you’ll need to fix that on the server side or contact the server’s administrator if you’re not in control of the server.
Check more about how to check server certificate
Use a different certificate authority
When you make a request with curl, it uses a set of trusted certificates to verify the server’s certificate. If the server’s certificate isn’t signed by a certificate authority (CA) in this set, or if the certificate chain can’t be verified, curl will return an error.
By default, curl uses a built-in set of trusted certificates, but you can specify a different set using the –cacert or –capath options.
The –cacert option allows you to specify a file containing one or more certificates to use to verify the server’s certificate:
curl --cacert /path/to/cacert.pem https://example.com
The –capath option allows you to specify a directory containing multiple certificate files to use:
curl --capath /path/to/certs/ https://example.com
In both cases, replace /path/to/cacert.pem or /path/to/certs/ with the path to your certificate file or directory, and https://example.com with the URL you’re trying to access.
Please note that the certificate files must be in PEM format.
Ignore the certificate check
You can instruct curl to ignore SSL certificate checks by using the -k or –insecure option. Here is an example:
curl -k https://example.com
Or:
curl --insecure https://example.com
Replace https://example.com with the URL you’re trying to access.
However, please note that using this option makes the connection vulnerable to man-in-the-middle attacks by disabling SSL certificate verification. It should therefore never be used in a production environment or with sensitive data. Use this option only for testing and debugging.