Skip to content

Bash Curl Command SSL/TLS Error Fix

DodaTech Updated 2026-06-24 2 min read

In this tutorial, you'll learn about Bash Curl Command SSL/TLS Error Fix. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.

Bash curl commands fail with SSL errors when the server certificate is self-signed, expired, or the CA certificate bundle on the system is outdated.

The Wrong Way

curl https://self-signed.badssl.com/

Output:

curl: (60) SSL certificate problem: self-signed certificate

Curl rejects self-signed certificates by default.

The Right Way

curl -k https://self-signed.badssl.com/

Use -k (or --insecure) to skip certificate verification for testing environments.

Step-by-Step Fix

1. Show certificate details

curl -vI https://example.com 2>&1 | grep -A5 "Server certificate"

2. Use the system CA bundle

curl --cacert /etc/ssl/certs/ca-certificates.crt https://example.com

3. Set minimum TLS version

curl --tlsv1.2 https://example.com

4. Use a specific cipher

curl --ciphers 'ECDHE-RSA-AES128-GCM-SHA256' https://example.com

5. Update the CA certificates

# Ubuntu/Debian
sudo apt update && sudo apt install ca-certificates
# macOS
brew install ca-certificates

Prevention Tips

  • Use -k only for testing; never in production scripts.
  • Keep the system CA bundle up to date.
  • Use --cacert to specify a custom CA bundle when needed.
  • Use --cert and --key for client certificate authentication.
  • Use curl --version to check the supported SSL/TLS library.

Common Mistakes with curl error

  1. Using foldl instead of foldl' causing stack overflow on large lists
  2. Forgetting deriving (Show, Eq) on custom data types needed for debugging
  3. Placing the wildcard pattern first in case expressions, making all subsequent patterns unreachable

These mistakes appear frequently in real-world BASH code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.

Practice Exercise

Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.

This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.

FAQ

### What is the difference between -k and --cacert?

-k (--insecure) skips all certificate validation. --cacert specifies a custom CA bundle to validate against. Use --cacert when you have the server's CA certificate but it is not in the system bundle.

Why does curl work in a browser but not in a script?

Browsers maintain their own CA certificate stores that are updated regularly. The system CA bundle that curl uses may be outdated. Run sudo apt install ca-certificates to update.

How do I fix "SSL certificate problem: unable to get local issuer certificate"?

The server did not send the intermediate certificate, or the CA bundle is missing the intermediate. Download the missing intermediate certificate and use curl --cacert intermediate.crt https://example.com.

Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro