curl: (60) SSL certificate problem: unable to get local issuer certificate

Question

root@sclrdev:/home/sclr/certs/FreshCerts# curl --ftp-ssl --verbose ftp://{abc}/ -u trup:trup --cacert /etc/ssl/certs/ca-certificates.crt
* About to connect() to {abc         


        

Answer 1

It is most likely a missing cert from the server.

Root->Intermediate->Server

A server should send the Server & Intermediate as a minimum.

Use openssl s_client -showcerts -starttls ftp -crlf -connect abc:21 to debug the issue.

If only one cert is returned (either self signed, or issued), then you must choose to either:

1. have the server fixed
2. trust that cert and add it to your CA cert store (not the best idea)
3. disable trust, e.g. curl -k (very bad idea)

If the server returned, more than one, but not including a self signed (root) cert:

1. install the CA (root) cert in your CA store for the this chain, e.g. google the issuer. (ONLY if you trust that CA)
2. have the server fixed to send the CA as part of the chain
3. trust a cert in the chain
4. disable trust

If the server returned a root CA certificate, then it is not in your CA store, your options are:

1. Add (trust) it
2. disable trust

I have ignored expired / revoked certs because there were no messages indicating it. But you can examine the certs with openssl x509 -text

Given you are connecting to a home edition (https://www.cerberusftp.com/support/help/installing-a-certificate/) ftp server, I am going to say it is self signed.

Please post more details, like the output from openssl.