Curl: (60) Ssl Certificate Problem: Unable to Get Local Issuer Certificate

The error curl: (60) SSL certificate problem: unable to get local issuer certificate occurs when curl is unable to verify the SSL certificate chain of the remote server because it cannot find a trusted root certificate or intermediary certificates. This is often due to issues with the local CA certificates store on your system.

Here’s how you can resolve this issue:

1. Update CA Certificates

The most common solution is to ensure that your system's CA certificates are up-to-date.

• On Windows:
  • Update CA Certificates:
    • Windows manages certificates through the operating system's certificate store. Ensure that your system is up-to-date by running Windows Update.
  • Manually Install CA Certificates:
    • Download the latest CA certificates bundle, such as from certifi, and configure curl to use it.

• On Linux:

  • Debian/Ubuntu:

     

    Copied!

    sudo apt-get update
    sudo apt-get install --reinstall ca-certificates
    

  • Fedora/CentOS/RHEL:

     

    Copied!

    sudo yum reinstall ca-certificates
    

  • Arch Linux:

     

    Copied!

    sudo pacman -Syu ca-certificates
    

• On macOS:

  • Homebrew:

     

    Copied!

    brew install openssl
    

  • Update CA Certificates: Ensure macOS is up-to-date as it handles certificates through the Keychain.

2. Specify the CA Bundle Path Manually

If the CA certificates are correctly installed but curl still can't find them, you can manually specify the CA bundle to use with curl.

1. Download CA Certificates:
   • Download the CA certificates bundle from curl's website or from certifi.

2. Use the -cacert Option with curl:

    

   Copied!

   curl --cacert /path/to/cacert.pem <https://example.com>
   

3. Set the CURL_CA_BUNDLE Environment Variable:

    

   Copied!

   export CURL_CA_BUNDLE=/path/to/cacert.pem
   

   This will make curl use the specified CA bundle for all requests in the current session.

3. Use the -insecure Option (Temporary Workaround)

If you're sure of the server's identity and need to bypass certificate validation temporarily (not recommended for production environments due to security risks), you can use the --insecure option.

curl --insecure <https://example.com>

4. Verify Server Certificate Chain

Sometimes, the issue is with the server's SSL configuration, such as missing intermediate certificates. You can check the server's certificate chain using tools like openssl:

openssl s_client -connect example.com:443 -showcerts

Ensure that the server provides the full chain, including any intermediate certificates.

5. Check System Time

SSL/TLS certificates are time-sensitive. If your system time is incorrect, it might cause issues with certificate verification.

• On Windows:
  • Check and synchronize your system clock through the Date and Time settings.

• On Linux/macOS:

  • Synchronize your system clock with NTP servers:

     

    Copied!

    sudo ntpdate -u time.nist.gov
    

6. Update curl

Ensure you are using the latest version of curl as newer versions may have improved SSL/TLS support and better handling of certificates.

• On Linux:
  • Use your package manager to update curl.
• On Windows:
  • Download the latest version from curl's website.

Summary

The curl: (60) SSL certificate problem: unable to get local issuer certificate error is usually due to missing or outdated CA certificates on your system. Updating your CA certificates, specifying the CA bundle manually, or temporarily bypassing SSL verification can help resolve the issue. For production environments, ensure that all SSL/TLS certificates are valid and correctly configured to avoid security risks.

Got an article suggestion? Let us know

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.