curl 60 SSL certificate problem unable to get local issuer certificate

Question

root sclrdev  home sclr certs FreshCerts  curl --ftp-ssl --verbose ftp    abc   -u trup trup --cacert  etc ssl certs ca-certificates crt   About to connect   to  abc  port 21   0      Trying  abc       Connected to  abc    abc   port 21   0   lt  220-Cerberus FTP Server - Home Edition  lt  220-This is the UNLICENSED Home Edition and may be used for home  personal use only  lt  220-Welcome to Cerberus FTP Server  lt  220 Created by Cerberus  LLC  gt  AUTH SSL  lt  234 Authentication method accepted   successfully set certificate verify locations      CAfile   etc ssl certs ca-certificates crt   CApath   etc ssl certs   SSLv3  TLS handshake  Client hello  1     SSLv3  TLS handshake  Server hello  2     SSLv3  TLS handshake  CERT  11     SSLv3  TLS alert  Server hello  2     SSL certificate problem  unable to get local issuer certificate   Closing connection 0 curl   60  SSL certificate problem  unable to get local issuer certificate More details here  http   curl haxx se docs sslcerts html  curl performs SSL certificate verification by default  using a  bundle   of Certificate Authority  CA  public keys  CA certs   If the default  bundle file isn t adequate  you can specify an alternate file  using the --cacert option  If this HTTPS server uses a certificate signed by a CA represented in  the bundle  the certificate verification probably failed due to a  problem with the certificate  it might be expired  or the name might  not match the domain name in the URL   If you d like to turn off curl s verification of the certificate  use  the -k  or --insecure  option

User · Answer

I have encountered this problem as well  I ve read this thread and most of the answers are informative but overly complex to me  I m not experienced in networking topics so this answer is for people like me   In my case  this error was happening because I didn t include the intermediate and root certificates next to the certificate I was using in my application   Here s what I got from the SSL certificate supplier   - abc crt - abc pem - abc-bunde crt   In the abc crt file  there was only one certificate   -----BEGIN CERTIFICATE-----   certificate content here   -----END CERTIFICATE-----   If I supplied it in this format  the browser would not show any errors  Firefox  but I would get curl   60  SSL certificate   unable to get local issuer certificate error when I did the curl request   To fix this error  check your abc-bunde crt file  You will most likely see something like this   -----BEGIN CERTIFICATE-----   additional certificate content here   -----END CERTIFICATE----- -----BEGIN CERTIFICATE-----   other certificate content here   -----END CERTIFICATE----- -----BEGIN CERTIFICATE-----   different certificate content here   -----END CERTIFICATE-----   These are your Intermediate and root certificates  Error is happening because they are missing in the SSL certificate you re supplying to your application   To fix the error  combine the contents of both of these files in this format   -----BEGIN CERTIFICATE-----   certificate content here   -----END CERTIFICATE----- -----BEGIN CERTIFICATE-----   additional certificate content here   -----END CERTIFICATE----- -----BEGIN CERTIFICATE-----   other certificate content here   -----END CERTIFICATE----- -----BEGIN CERTIFICATE-----   different certificate content here   -----END CERTIFICATE-----   Note that there are no spaces between certificates  at the end or at the start of the file  Once you supply this combined certificate to your application  your problem should be fixed

User · Answer

Had that problem and it was not solved with newer version   etc certs had the root cert  the browser said everything is fine  After some testing I got from ssllabs com the warning  that my chain was not complete  Indeed it was the chain for the old certificate and not the new one   After correcting the cert chain everything was fine  even with curl

User · Answer

In my case it turned out to be a problem with the installation of my certificate on the service I was trying to consume with cURL  I failed to bundle concatenate the intermediate and root certificates into my domain certificate  It wasn t obvious at first that this was the problem because Chrome worked it out and accepted the certificate in spite of leaving out the intermediate and root certificates   After bundling the certificate  everything worked as expected  I bundled like this    cat intermediate crt  gt  gt  domain crt   And repeated for all intermediate and the root certificate

User · Answer

According to cURL docs you can also pass the certificate to the curl command        Get a CA certificate that can verify the remote server and use the   proper option to point out this CA cert for verification when   connecting  For libcurl hackers  curl easy setopt curl    CURLOPT CAPATH  capath        With the curl command line tool  --cacert  file      For example    curl --cacert mycertificate cer -v https   www stackoverflow com

User · Answer

Download https   curl haxx se ca cacert pem  After download  move this file to your wamp server  For exp  D  wamp bin php   Then add the following line to the php ini file at the bottom    curl cainfo  quot D  wamp bin php cacert pem quot   Now restart your wamp server

User · Answer

this can help you for guzzle      client   new Client env  API HOST      client- gt setSslVerification false     tested on guzzle guzzle 3

User · Answer

It is most likely a missing cert from the server   Root- Intermediate- Server  A server should send the Server  amp  Intermediate as a minimum   Use openssl s client -showcerts -starttls ftp -crlf -connect abc 21 to debug the issue   If only one cert is returned  either self signed  or issued   then you must choose to either    have the server fixed trust that cert and add it to your CA cert store  not the best idea  disable trust  e g  curl -k  very bad idea    If the server returned  more than one  but not including a self signed  root  cert    install the CA  root  cert in your CA store for the this chain  e g  google the issuer   ONLY if you trust that CA  have the server fixed to send the CA as part of the chain trust a cert in the chain disable trust   If the server returned a root CA certificate  then it is not in your CA store  your options are    Add  trust  it disable trust   I have ignored expired   revoked certs because there were no messages indicating it  But you can examine the certs with openssl x509 -text  Given you are connecting to a home edition  https   www cerberusftp com support help installing-a-certificate   ftp server  I am going to say it is self signed   Please post more details  like the output from openssl

User · Answer

sudo apt-get install ca-certificates  Worked for me

User · Answer

So far  I ve seen this issue happen within corporate networks because of two reasons  one or both of which may be happening in your case    Because of the way network proxies work  they have their own SSL certificates  thereby altering the certificates that curl sees   Many or most enterprise networks force you to use these proxies  Some antivirus programs running on client PCs also act similarly to an HTTPS proxy  so that they can scan your network traffic   Your antivirus program may have an option to disable this function  assuming your administrators will allow it     As a side note  No  2 above may make you feel uneasy about your supposedly secure TLS traffic being scanned   That s the corporate world for you

User · Answer

I have solved this problem by adding one line code in cURL script   curl setopt  ch  CURLOPT SSL VERIFYPEER  false     Warning  This makes the request absolute insecure  see answer by  YSU

User · Answer

Try reinstalling curl in Ubuntu  and updating my CA certs with sudo update-ca-certificates --fresh which updated the certs

User · Answer

Simple solution  IN    sdkman etc config  change sdkman insecure ssl true  Steps  nano    sdkman etc config change sdkman insecure ssl false to sdkman insecure ssl true save and exit

User · Answer

My case was different  I m hosting a site behind a firewall  The error was caused by pfSense   Network layout   Web Server 10 x x x   lt - gt   pfSense 49 x x x   lt - gt   Open Internet    I accidentally found the cause  thanks to this answer     All is well when I accessed my site from WAN   However  when the site was accessed from inside LAN  e g  when Wordpress made a curl request to its own server  despite using the WAN IP 49 x x x   it was served the pfSense login page   I identified the certificate as pfSense webConfigurator Self-Signed Certificate  No wonder curl threw an error   Cause  What happened was that curl was using the site s WAN IP address 49 x x x  But  in the context of the web server  the WAN IP was the firewall   Debug  I found that I was getting the pfSense certificate   Solution  On the server hosting the site  point its own domain name to 127 0 0 1  By applying the solution  curl s request was properly handled by the web server  and not forwarded to the firewall which responded by sending the login page

User · Answer

Had this problem after install Git Extensions v3 48  Tried to install mysysgit again but same problem  At the end  had to disable  please consider security implications   Git SSL verification with   git config --global http sslVerify false   but if you have a domain certificate better add it to  Win7   C  Program Files  x86  Git bin curl-ca-bundle crt

User · Answer

Relating to  SSL certificate problem  unable to get local issuer certificate  error  It is important to note that this applies to the system sending the CURL request  and NOT the server receiving the request    Download the latest cacert pem from https   curl haxx se ca cacert pem Add the following line to php ini    if this is shared hosting and you don t have access to php ini then you could add this to  user ini in public html    curl cainfo   path to downloaded cacert pem   Make sure you enclose the path within double quotation marks    By default  the FastCGI process will parse new files every 300 seconds  if required you can change the frequency by adding a couple of files as suggested here https   ss88 uk blog fast-cgi-and-user-ini-files-the-new-htaccess

User · Answer

It might be sufficient to just update the list of certificates  sudo update-ca-certificates -f      update-ca-certificates  is  a  program that updates the directory  etc ssl certs to hold SSL certificates and generates ca-certificates crt  a concatenated single-file list of certificates

User · Answer

For me  simple install of certificates helped   sudo apt-get install ca-certificates

User · Answer

We ran into this error recently   Turns out it was related to the root cert not being installed in the CA store directory properly   I was using a curl command where I was specifying the CA dir directly   curl --cacert  etc test server pem --capath  etc test     This command was failing every time with curl   60  SSL certificate problem  unable to get local issuer certificate    After using strace curl      it was determined that curl was looking for the root cert file with a name of 60ff2731 0  which is based on an openssl hash naming convetion   So I found this command to effectively import the root cert properly       ln -s rootcert pem  openssl x509 -hash -noout -in rootcert pem  0   which creates a softlink      60ff2731 0 -  rootcert pem   curl  under the covers read the server pem cert  determined the name of the root cert file  rootcert pem   converted it to its hash name  then did an OS file lookup  but could not find it       So  the takeaway is  use strace when running curl when the curl error is obscure  was a tremendous help   and then be sure to properly install the root cert using the openssl naming convention

User · Answer

Specifically for Windows users  using curl-7 57 0-win64-mingw or similar version   This is a bit late  and the existing answers are correct  But I still had to struggle a bit to get it working on my Windows machine  though the process is actually pretty straight forward  So  sharing the step-by-step process   This error basically means  curl is failing to verify the certificate of the target URI  If you trust the issuer of the certificate  CA   you can add that to the list of trusted certificates   For that  browse the URI  e g  on Chrome  and follow the steps   Right click on the secure padlock icon Click on certificate  it ll open a window with the certificate details Go to  Certification Path  tab Click the ROOT certificate Click View Certificate  it ll open another certificate window Go to Details tab Click Copy to File  it ll open the export wizard Click Next Select  Base-64 encoded X 509   CER   Click Next Give a friendly name e g   MyDomainX cer   browse to desired directory  Click Next Click Finish  it ll save the certificate file Now open this  cer file and copy the contents  including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----  Now go to the directory where curl exe is saved e g  C  SomeFolder curl-7 57 0-win64-mingw bin Open the curl-ca-bundle crt file with a text editor Append the copied certificate text to the end of the file  Save   Now your command should execute fine in curl

User · Answer

You have to change server cert from cert pem to fullchain pem I had the same issue with Perl HTTPS Daemon  I have changed  SSL cert file   gt    etc letsencrypt live mydomain cert pem  to  SSL cert file   gt    etc letsencrypt live mydomain fullchain pem

User · Answer

On windows I was having this problem  Curl was installed by mysysgit  so downloading and installing the newest version fixed my issue    Otherwise these are decent instructions on how to update your CA cert that you could try

User · Answer

Yes you need to add a CA certificate also  Adding a code snippet in Node js for clear view   var fs   require fs  var path   require  path   var https   require  https   var port   process env PORT    8080  var app   express     https createServer   key  fs readFileSync path join   dirname     path to your private key privkey pem     cert  fs readFileSync path join   dirname     path to your certificate cert pem     ca  fs readFileSync path join   dirname     path to your CA file chain pem      app  listen port

User · Answer

On windows - if you want to run from cmd  gt  curl -X GET  quot https   some place quot   Download cacert pem from https   curl haxx se docs caextract html Set permanently the environment variable  CURL CA BUNDLE   C  somefolder cacert pem  And reload the environment by reopening any cmd window in which you want to use curl  if Chocolatey is installed you can use  refreshenv  Now try again Reason for the trouble  https   laracasts com discuss channels general-discussion curl-error-60-ssl-certificate-problem-unable-to-get-local-issuer-certificate replies 95548

User · Answer

This is ssh certificate store issue  You need to download the valid certificate pem file from target CA website  and then build the soft link file to instruct ssl the trusted certifacate   openssl x509 -hash -noout -in DigiCert Global Root G3 pem  you will get dd8e9d41  build solf link with hash number and suffix the file with a  0  dot-zero   dd8e9d41 0  Then try again

User · Answer

I had this problem with Digicert of all CAs   I created a digicertca pem file that was just both intermediate and root pasted together into one file   curl https   cacerts digicert com DigiCertGlobalRootCA crt pem curl https   cacerts digicert com DigiCertSHA2SecureServerCA crt pem  curl -v https   mydigisite com sign on --cacert DigiCertCA pem        subjectAltName  host  mydigisite com  matched cert s  mydigisite com     issuer  C US  O DigiCert Inc  CN DigiCert SHA2 Secure Server CA    SSL certificate verify ok   gt  GET  users sign in HTTP 1 1  gt  Host  mydigisite com  gt  User-Agent  curl 7 65 1  gt  Accept            Eorekan had the answer but only got myself and one other to up vote his answer

User · Answer

It is failing as cURL is unable to verify the certificate provided by the server   There are two options to get this to work    Use cURL with -k option which allows curl to make insecure connections  that is cURL does not verify the certificate  Add the root CA  the CA signing the server certificate  to  etc ssl certs ca-certificates crt   You should use option 2 as it s the option that ensures that you are connecting to secure FTP server

[curl] curl: (60) SSL certificate problem: unable to get local issuer certificate

Examples related to curl

Examples related to ssl

Examples related to openssl

Examples related to ssl-certificate

Examples related to x509certificate