Skip to content

How to Fix curl SSL Certificate Errors

DodaTech 2 min read

In this tutorial, you'll learn about How to Fix curl SSL Certificate Errors. We cover key concepts, practical examples, and best practices.

The Problem

You run curl https://example.com and get:

curl: (60) SSL certificate problem: unable to get local issuer certificate

Or:

curl: (77) error setting certificate verify locations:
  CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none

curl cannot verify the server's SSL certificate because the CA certificate bundle is missing, outdated, or the server uses a self-signed certificate.

Quick Fix

Step 1: Update the system CA certificates

sudo apt update && sudo apt install ca-certificates -y

On RHEL/Fedora:

sudo yum install ca-certificates -y
sudo update-ca-trust

Step 2: Use the system CA bundle explicitly

curl --cacert /etc/ssl/certs/ca-certificates.crt https://example.com

This tells curl exactly where to find the CA bundle. Works when curl's default path is misconfigured.

Step 3: Bypass SSL verification (testing only)

curl -k https://example.com

The -k (or --insecure) flag skips certificate validation. Never use this in production scripts — it disables all security.

Step 4: Use a custom CA certificate

curl --cacert /path/to/custom-ca.crt https://internal.example.com

For internal services with self-signed or custom CA certificates, specify the CA file directly.

Step 5: Set the CA bundle path permanently

export CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
# or
export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt

Add to ~/.bashrc for persistence.

Step 6: Debug the certificate chain

curl -v https://example.com 2>&1 | grep -A5 "Server certificate"

Expected:

* Server certificate:
*  subject: CN=example.com
*  start date: Apr 15 00:00:00 2024 GMT
*  expire date: Jul 14 23:59:59 2024 GMT
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.

Step 7: Download a new CA bundle

If the system bundle is corrupted:

wget -O /tmp/cacert.pem https://curl.se/ca/cacert.pem
curl --cacert /tmp/cacert.pem https://example.com

Step 8: Check curl's compiled-in CA path

curl -V | grep -i "ca-bundle\|ca-path"

Expected:

ca-bundle: /etc/ssl/certs/ca-certificates.crt
ca-path: /etc/ssl/certs

Alternative Solutions

Use wget instead of curl:

wget https://example.com

wget may use a different CA bundle path that is correctly configured on your system.

Common Errors

curl: (77) error setting certificate verify locations: curl cannot find the CA bundle. Set the path explicitly: curl --cacert /etc/ssl/certs/ca-certificates.crt https://example.com.

curl: (35) SSL connect error: The server does not support any SSL version that curl offers. Check the server's TLS configuration with openssl s_client.

Self-signed certificate in production: Never use -k in production scripts. Instead, add the self-signed certificate to the system trust store or use --cacert to point to the specific CA.

Certificate works in browser but not curl: Browsers may have a different CA trust store than curl. Install the system CA bundle: sudo apt install ca-certificates -y.

Prevention

  • Keep ca-certificates updated with regular system updates.
  • Use a valid certificate from a trusted CA (Let's Encrypt is free).
  • For internal services, add the internal CA certificate to the system trust store.
  • Never use -k in CI/CD scripts — configure the correct CA bundle instead.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro