Curl SSL Certificate: Unable to Get Local Issuer Certificate
Curl is a command line tool that transfers data to and from servers. One common error that can occur when using curl is the “unable to get local issuer certificate” SSL certificate error. This error indicates an issue with the SSL/TLS certificate configuration preventing curl from making a secure connection.
In this comprehensive guide, we will cover everything you need to know about the curl SSL certificate error, including:
What Does the Curl Error Mean?
The full curl error message looks something like this:
curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.
This indicates that curl could not verify the authenticity and validity of the SSL certificate presented by the remote server.
SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) are cryptographic protocols designed to provide secure network communication. They use certificates to establish trust between two parties and encrypt the data transfer.
Certificates are issued by certificate authorities (CAs) who validate the certificate holder’s identity. The CA signs the certificate to prove its validity.
For curl to trust a server’s certificate, it must be signed by a recognized CA whose root certificate is installed locally on the system. This allows curl to verify the complete certificate chain and return it to a trusted root.
If curl cannot establish a full chain of trust back to a known CA, the authentication fails, and this error occurs. This typically happens if:
- The server uses a self-signed certificate instead of one signed by a trusted CA.
- The server’s certificate chain needs to be completed, and intermediate certificates must be included.
- The trusted root CA certificate is not installed on the local system.
What are the Common Causes Behind the Curl SSL Certificate: Unable to Get Local Issuer Certificate
There are a few common reasons you may see the curl SSL certificate error:
- Self-Signed Certificate in Use
- Missing or Incomplete Certificate Chain
- Root CA Certificate Not Installed
Self-Signed Certificate in Use
The most frequent cause is the remote server using a self-signed certificate rather than one issued by a CA.
A self-signed certificate is signed by the same entity that it certifies. Unlike CA-signed certificates, they are not trusted by default.
Web servers often use self-signed certificates to complete public production websites; a CA-signed certificate should be used to authenticate properly.
Missing or Incomplete Certificate Chain
When a CA issues a certificate, they also provide a chain of intermediate certificates that must be presented along with the server certificate to complete the chain of trust.
If the server fails to send the full certificate chain, curl will be unable to validate the connection, and the SSL handshake will fail.
This problem can occur if the intermediate certificates need to be properly installed on the web server or are missing from the configuration.
Root CA Certificate Not Installed
For curl to authenticate the certificate chain, the root CA certificate that signed the intermediate certificates must be present locally.
If the root CA certificate is missing from the system’s trust store, certificate verification fails as curl cannot link the certificate back to a trusted root.
Default installations include common public CA root certificates. But if a private/internal CA is used, the root certificate must be manually added to the trust store.
How to Fix the Curl: (60) SSL Certificate Problem: Unable to Get Local Issuer Certificate
Here are various methods to resolve the curl SSL certificate error and establish trust:
- Use a Valid CA-Signed Certificate
- Add the CA Certificate Bundle
- Specify the CA Certificate Path
- Disable SSL/TLS Certificate Validation
Use a Valid CA-Signed Certificate
The recommended solution is to have the server use a valid SSL certificate issued by a trusted CA rather than a self-signed certificate.
Major CAs include Let’s Encrypt, DigiCert, GlobalSign, and GoDaddy. They will validate the server’s identity and provide a certificate that curl and other clients will trust automatically.
If using an internal private CA, the root certificate must be distributed to systems that need to trust it.
Add the CA Certificate Bundle
If the error is due to an incomplete certificate chain, you must configure the server to send the full chain and the server certificate.
For publicly trusted CAs, you can download a certificate bundle and add this to the web server configuration:
For Apache: SSLCertificateChainFile /path/to/certificate_bundle.pem For Nginx: ssl_certificate /path/to/server_cert.pem; ssl_certificate_key /path/to/server_key.pem; ssl_trusted_certificate /path/to/certificate_bundle.pem;
This will ensure the full chain is presented to clients like curl.
Specify the CA Certificate Path
If the server certificate is valid but the root CA certificate is missing locally, you can tell curl where to find the CA certificate via the –cacert option:
curl --cacert /path/to/ca_certificate.pem https://example.com
This will instruct curl to use the specified CA certificate to verify the server certificate.
Disable SSL/TLS Certificate Validation
You can have curl ignore SSL certificate errors and establish an insecure connection by using the -k or –insecure option:
curl -k https://example.com curl --insecure https://example.com
This will disable certificate validation and should only be used temporarily for testing purposes.
How to Troubleshoot Curl: (60) SSL Error: Unable to Get Local Issuer Certificate
Here are some additional tips for troubleshooting and diagnosing curl SSL certificate problems:
- Use the -v flag to enable verbose output. This provides detailed information on the certificate verification process.
- Check the expiration date on the certificate. An expired certificate will fail validation.
- Confirm the hostname in the certificate matches the server you are requesting (no mismatch between common name and domain).
- Validate that the root and intermediate CA certificates are installed on the system.
- Try installing certificate bundles from public CAs like Let’s Encrypt.
- For self-signed certificates, make sure you generate and configure them properly.
- Use openssl to examine certificates on the server and confirm they are properly formatted and signed.
- Check for issues like incorrect system time, causing certificates to appear invalid.
- If using antivirus or firewalls, whitelist curl so certificate files can be accessed.
- On Linux, use the update-ca-certificates command to update the system CA store.
Final Thoughts
The “curl: (60) SSL certificate unable to get local issuer certificate” error indicates an issue validating the server’s SSL certificate that prevents curl from establishing a secure TLS/SSL connection.
While disabling validation may resolve the issue, it completely undermines security. The recommended solutions include using valid CA-signed certificates, configuring the full certificate chain, and installing any missing intermediate and root CA certificates.
Properly configuring SSL certificates is crucial for maintaining secure encrypted communications and protecting sensitive data in transit. Understanding and diagnosing certificate errors will help strengthen your security posture against potential man-in-the-middle attacks.
Frequently Asked Questions (FAQs)
Why am I suddenly getting this curl SSL error?
There are a few reasons this error can suddenly appear:
- The server certificate expired and has not been renewed.
- The intermediate CA certificate expired, causing the chain to break.
- The root CA certificate was removed from your local system.
- The server certificate was replaced with a self-signed certificate.
Does the curl error affect all SSL connections?
The error indicates a problem with the specific server certificate curl is attempting to validate. It does not necessarily affect all SSL/TLS connections from that system.
However, if the root cause is a missing CA certificate on your local system, it could also impact verification for other domains that rely on that CA.
Is it ok to use the -k flag permanently?
No, disabling certificate validation with -k leaves you vulnerable to attacks. It should only be used temporarily for testing when you need to diagnose the root cause of the issue before procuring a proper certificate.
Can I extract the server certificate to diagnose problems?
Yes, you can use the openssl s_client command to connect to the server and output its certificate:
openssl s_client -connect example.com:443 -showcerts
This will display the certificate sent by the server and help identify any issues.
How do I install a new root CA certificate?
On Linux, you can add root certificates to /usr/local/share/ca-certificates and then run update-ca-certificates.
On Windows, you need to add them to the Trusted Root Certification Authorities store either via CertMgr or using the CertUtil command line tool.
What’s the difference between curl and web browsers?
Curl and web browsers both use SSL certificates to establish secure connections. However, browsers come with a pre-populated list of trusted CA certificates, while curl relies on the certificates installed in the system-level trust store. Aa certificate might work in a browser but fail in curl if the root CA is missing on your system.
Priya Mervana
Verified Web Security Experts
Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.
