Are you getting the curl error 60: SSL certificate problem? This can be a frustrating error to deal with, but don’t worry – we have four ways to fix it! In this blog post, we will walk you through each of these methods.
If you are getting this error, it means that cURL is not able to verify the SSL certificate of the website you are trying to connect to. This can happen for a number of reasons. One reason might be that the root CA certificates are not installed on your server. Another reason might be that the site’s SSL certificate is not signed by a trusted CA.
understanding CA certificate
A CA certificate is a digital certificate issued by a certificate authority (CA), so SSL clients (such as web browsers) can use it to verify the SSL certificates sign by this CA.
For example, stackoverflow.com uses Let’s Encrypt to sign its servers, and SSL certificates sent by stackoverflow.com mention they are signed by Let’s Encrypt. Your browser contains the CA certificate from Let’s Encrypt and so the browser can use that CA certificate to verify the stackoverflow’s SSL certificate and make sure you are indeed talking to real server, not man-in-the-middle.
Do we need install CA certificate manually?
Typically, we don’t need to install a Root CA certificate, as they are included in web browsers’ trust stores and are even pre-installed on some operating systems.
This allows our computer to be able to tell whether or not a certificate is invalid, because if its root certificate isn’t on their trusted root CA list, then it’ll warn us that the certificate is not a trusted one.
Specify root CA file in curl command
–cacert (HTTPS) Tells curl to use the specified certificate file to verify the peer. The file contains multiple CA certificates. The certificate(s) must be in PEM format. If this option is used several times, the last one will be used.
So, if you specify –cacert, the CA certs are stored in the specified file. These CA certificates are used to verify the certs of remote servers that cURL connects to.
curl --cacert /etc/pki/ssl/ca/ca-all.pem https://mycustomapi.com
Configure environment variable CURL_CA_BUNDLE in system
CURL_CA_BUNDLE is used to specify the location of the Certificate Authority (CA) bundle file to be used by Curl when using HTTPS connections. Curl comes bundled with its own CA bundle by default, so this variable is not required unless you have an unusual installation.
export CURL_CA_BUNDLE=/path/to/my-ca-bundle.pem
Install latest CA certificates package in system
ca-certificates package includes the well-known CA certificates. It can be used by any CLI application that looks directly at the /etc/pki/ca-trust/extracted directory, along with the CLI applications that load one of the PKCS#11 trust modules. Command-line utilities such as curl and wget can use these CA certificates to validate server certificates.
With the ca-certificates package installed, we can use curl to view or download URL content from a site using a certificate signed by a well-known CA without error.
apt-get or yum install ca-certificates
Skip the SSL check in curl command
Some documentation encourages a simple insecure connection for these internal and trusted sites. Curl can connect insecurely with the -k or –insecure option:
$ curl -k https://host.internal-FQDN/
We hope this blog post has helped you fix the cURL error 60: SSL certificate problem. If you are still having trouble, please contact our support team for assistance. Thank you!