# Curl: (60) Ssl Certificate Problem: Unable to Get Local Issuer Certificate The error `curl: (60) SSL certificate problem: unable to get local issuer certificate` occurs when `curl` is unable to verify the SSL certificate chain of the remote server because it cannot find a trusted root certificate or intermediary certificates. This is often due to issues with the local CA certificates store on your system. Here’s how you can resolve this issue: ### 1. **Update CA Certificates** The most common solution is to ensure that your system's CA certificates are up-to-date. - **On Windows:** - **Update CA Certificates:** - Windows manages certificates through the operating system's certificate store. Ensure that your system is up-to-date by running Windows Update. - **Manually Install CA Certificates:** - Download the latest CA certificates bundle, such as from [**certifi**](https://pypi.org/project/certifi/), and configure `curl` to use it. - **On Linux:** - **Debian/Ubuntu:** ```bash sudo apt-get update sudo apt-get install --reinstall ca-certificates ``` - **Fedora/CentOS/RHEL:** ```bash sudo yum reinstall ca-certificates ``` - **Arch Linux:** ```bash sudo pacman -Syu ca-certificates ``` - **On macOS:** - **Homebrew:** ```bash brew install openssl ``` - **Update CA Certificates:** Ensure macOS is up-to-date as it handles certificates through the Keychain. ### 2. **Specify the CA Bundle Path Manually** If the CA certificates are correctly installed but `curl` still can't find them, you can manually specify the CA bundle to use with `curl`. 1. **Download CA Certificates:** - Download the CA certificates bundle from [**curl's website**](https://curl.se/docs/caextract.html) or from [**certifi**](https://pypi.org/project/certifi/). 2. **Use the `-cacert` Option with `curl`:** ```bash curl --cacert /path/to/cacert.pem ``` 3. **Set the `CURL_CA_BUNDLE` Environment Variable:** ```bash export CURL_CA_BUNDLE=/path/to/cacert.pem ``` This will make `curl` use the specified CA bundle for all requests in the current session. ### 3. **Use the `-insecure` Option (Temporary Workaround)** If you're sure of the server's identity and need to bypass certificate validation temporarily (not recommended for production environments due to security risks), you can use the `--insecure` option. ```bash curl --insecure ``` ### 4. **Verify Server Certificate Chain** Sometimes, the issue is with the server's SSL configuration, such as missing intermediate certificates. You can check the server's certificate chain using tools like `openssl`: ```bash openssl s_client -connect example.com:443 -showcerts ``` Ensure that the server provides the full chain, including any intermediate certificates. ### 5. **Check System Time** SSL/TLS certificates are time-sensitive. If your system time is incorrect, it might cause issues with certificate verification. - **On Windows:** - Check and synchronize your system clock through the Date and Time settings. - **On Linux/macOS:** - Synchronize your system clock with NTP servers: ```bash sudo ntpdate -u time.nist.gov ``` ### 6. **Update `curl`** Ensure you are using the latest version of `curl` as newer versions may have improved SSL/TLS support and better handling of certificates. - **On Linux:** - Use your package manager to update `curl`. - **On Windows:** - Download the latest version from [**curl's website**](https://curl.se/download.html). ### Summary The `curl: (60) SSL certificate problem: unable to get local issuer certificate` error is usually due to missing or outdated CA certificates on your system. Updating your CA certificates, specifying the CA bundle manually, or temporarily bypassing SSL verification can help resolve the issue. For production environments, ensure that all SSL/TLS certificates are valid and correctly configured to avoid security risks.