How to Fix curl SSL Certificate Errors
In this tutorial, you'll learn about How to Fix curl SSL Certificate Errors. We cover key concepts, practical examples, and best practices.
The Problem
You run curl https://example.com and get:
curl: (60) SSL certificate problem: unable to get local issuer certificate
Or:
curl: (77) error setting certificate verify locations:
CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
curl cannot verify the server's SSL certificate because the CA certificate bundle is missing, outdated, or the server uses a self-signed certificate.
Quick Fix
Step 1: Update the system CA certificates
sudo apt update && sudo apt install ca-certificates -y
On RHEL/Fedora:
sudo yum install ca-certificates -y
sudo update-ca-trust
Step 2: Use the system CA bundle explicitly
curl --cacert /etc/ssl/certs/ca-certificates.crt https://example.com
This tells curl exactly where to find the CA bundle. Works when curl's default path is misconfigured.
Step 3: Bypass SSL verification (testing only)
curl -k https://example.com
The -k (or --insecure) flag skips certificate validation. Never use this in production scripts — it disables all security.
Step 4: Use a custom CA certificate
curl --cacert /path/to/custom-ca.crt https://internal.example.com
For internal services with self-signed or custom CA certificates, specify the CA file directly.
Step 5: Set the CA bundle path permanently
export CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
# or
export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
Add to ~/.bashrc for persistence.
Step 6: Debug the certificate chain
curl -v https://example.com 2>&1 | grep -A5 "Server certificate"
Expected:
* Server certificate:
* subject: CN=example.com
* start date: Apr 15 00:00:00 2024 GMT
* expire date: Jul 14 23:59:59 2024 GMT
* issuer: C=US; O=Let's Encrypt; CN=R3
* SSL certificate verify ok.
Step 7: Download a new CA bundle
If the system bundle is corrupted:
wget -O /tmp/cacert.pem https://curl.se/ca/cacert.pem
curl --cacert /tmp/cacert.pem https://example.com
Step 8: Check curl's compiled-in CA path
curl -V | grep -i "ca-bundle\|ca-path"
Expected:
ca-bundle: /etc/ssl/certs/ca-certificates.crt
ca-path: /etc/ssl/certs
Alternative Solutions
Use wget instead of curl:
wget https://example.com
wget may use a different CA bundle path that is correctly configured on your system.
Common Errors
curl: (77) error setting certificate verify locations: curl cannot find the CA bundle. Set the path explicitly: curl --cacert /etc/ssl/certs/ca-certificates.crt https://example.com.
curl: (35) SSL connect error: The server does not support any SSL version that curl offers. Check the server's TLS configuration with openssl s_client.
Self-signed certificate in production: Never use -k in production scripts. Instead, add the self-signed certificate to the system trust store or use --cacert to point to the specific CA.
Certificate works in browser but not curl: Browsers may have a different CA trust store than curl. Install the system CA bundle: sudo apt install ca-certificates -y.
Prevention
- Keep
ca-certificatesupdated with regular system updates. - Use a valid certificate from a trusted CA (Let's Encrypt is free).
- For internal services, add the internal CA certificate to the system trust store.
- Never use
-kin CI/CD scripts — configure the correct CA bundle instead.
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro