curl: (60) SSL certificate problem: unable to get local issuer certificate

Question

root@sclrdev:/home/sclr/certs/FreshCerts# curl --ftp-ssl --verbose ftp://{abc}/ -u trup:trup --cacert /etc/ssl/certs/ca-certificates.crt
* About to connect() to {abc         


        

Answer 1

It is most likely a missing cert from the server.

Root->Intermediate->Server

A server should send the Server & Intermediate as a minimum.

Use openssl s_client -showcerts -starttls ftp -crlf -connect abc:21 to debug the issue.

If only one cert is returned (either self signed, or issued), then you must choose to either:

1. have the server fixed
2. trust that cert and add it to your CA cert store (not the best idea)
3. disable trust, e.g. curl -k (very bad idea)

If the server returned, more than one, but not including a self signed (root) cert:

1. install the CA (root) cert in your CA store for the this chain, e.g. google the issuer. (ONLY if you trust that CA)
2. have the server fixed to send the CA as part of the chain
3. trust a cert in the chain
4. disable trust

If the server returned a root CA certificate, then it is not in your CA store, your options are:

1. Add (trust) it
2. disable trust

I have ignored expired / revoked certs because there were no messages indicating it. But you can examine the certs with openssl x509 -text

Given you are connecting to a home edition (https://www.cerberusftp.com/support/help/installing-a-certificate/) ftp server, I am going to say it is self signed.

Please post more details, like the output from openssl.

Answer 2

this can help you for guzzle :

$client = new Client(env('API_HOST'));
$client->setSslVerification(false);

tested on guzzle/guzzle 3.*

Answer 3

We ran into this error recently. Turns out it was related to the root cert not being installed in the CA store directory properly. I was using a curl command where I was specifying the CA dir directly. curl --cacert /etc/test/server.pem --capath /etc/test ... This command was failing every time with curl: (60) SSL certificate problem: unable to get local issuer certificate.

After using strace curl ..., it was determined that curl was looking for the root cert file with a name of 60ff2731.0, which is based on an openssl hash naming convetion. So I found this command to effectively import the root cert properly:

ln -s rootcert.pem `openssl x509 -hash -noout -in rootcert.pem`.0

which creates a softlink

60ff2731.0 -> rootcert.pem

curl, under the covers read the server.pem cert, determined the name of the root cert file (rootcert.pem), converted it to its hash name, then did an OS file lookup, but could not find it.

So, the takeaway is, use strace when running curl when the curl error is obscure (was a tremendous help), and then be sure to properly install the root cert using the openssl naming convention.

Answer 4

According to cURL docs you can also pass the certificate to the curl command:

Get a CA certificate that can verify the remote server and use the proper option to point out this CA cert for verification when connecting. For libcurl hackers: curl_easy_setopt(curl, CURLOPT_CAPATH, capath);

With the curl command line tool: --cacert [file]

---

For example:

curl --cacert mycertificate.cer -v https://www.stackoverflow.com

Answer 5

Had this problem after install Git Extensions v3.48. Tried to install mysysgit again but same problem. At the end, had to disable (please consider security implications!) Git SSL verification with:

git config --global http.sslVerify false

but if you have a domain certificate better add it to (Win7)

C:\Program Files (x86)\Git\bin\curl-ca-bundle.crt

Answer 6

Specifically for Windows users, using curl-7.57.0-win64-mingw or similar version.

This is a bit late, and the existing answers are correct. But I still had to struggle a bit to get it working on my Windows machine, though the process is actually pretty straight forward. So, sharing the step-by-step process.

This error basically means, curl is failing to verify the certificate of the target URI. If you trust the issuer of the certificate (CA), you can add that to the list of trusted certificates.

For that, browse the URI (e.g. on Chrome) and follow the steps

1. Right click on the secure padlock icon
2. Click on certificate, it'll open a window with the certificate details
3. Go to 'Certification Path' tab
4. Click the ROOT certificate
5. Click View Certificate, it'll open another certificate window
6. Go to Details tab
7. Click Copy to File, it'll open the export wizard
8. Click Next
9. Select 'Base-64 encoded X.509 (.CER)'
10. Click Next
11. Give a friendly name e.g. 'MyDomainX.cer' (browse to desired directory)
12. Click Next
13. Click Finish, it'll save the certificate file
14. Now open this .cer file and copy the contents (including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----)
15. Now go to the directory where curl.exe is saved e.g. C:\SomeFolder\curl-7.57.0-win64-mingw\bin
16. Open the curl-ca-bundle.crt file with a text editor
17. Append the copied certificate text to the end of the file. Save

Now your command should execute fine in curl.