How do I deal with certificates using cURL while trying to access an HTTPS url?

Question

I am getting the following error using curl:

curl: (77) error setting certificate verify locations:
  CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none

How do I set this certificate verify locations?

What OS/distro are you on? You should install the ca-certificates package (that's what it's called on debian/ubuntu). — igorw, Jul 01 '10 at 19:34
For future reference, I had already `ca-certificates` installed but the error persisted. The problem was that my certificates were located in `/etc/ssl/certs/ca-certificates.crt` instead of `/etc/pki/tls/certs/ca-bundle.crt`, so I just had to set the environmental variable `CURL_CA_BUNDLE` to the correct path. — r_31415, Dec 11 '14 at 04:28
Cool! It works for me when I set `export CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt`. — tidy, Mar 18 '16 at 07:06

score 167 · Answer 1 · edited May 20 '15 at 13:53

167

I also had the newest version of ca-certificates installed but was still getting the error:

curl: (77) error setting certificate verify locations:
  CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none

The issue was that curl expected the certificate to be at the path /etc/pki/tls/certs/ca-bundle.crt but could not find it because it was at the path /etc/ssl/certs/ca-certificates.crt.

Copying my certificate to the expected destination by running

sudo cp /etc/ssl/certs/ca-certificates.crt /etc/pki/tls/certs/ca-bundle.crt

worked for me. You will need to create folders for the target destination if they do not exist by running

sudo mkdir -p /etc/pki/tls/certs

If needed, modify the above command to make the destination file name match the path expected by curl, i.e. replace /etc/pki/tls/certs/ca-bundle.crt with the path following "CAfile:" in your error message.

edited May 20 '15 at 13:53

Nicolas Ivanov

798
9
15

answered May 10 '15 at 18:02

Scott Emmons

1,831
3
13
9

39

You could also create a symbolic link with `ln -s` if don't want to re-copy it every time you update it. – starbeamrainbowlabs Aug 28 '15 at 08:41
4

Had same problem for `rescuetime` app on Fedora 25. `sudo ln -s /etc/pki/tls/certs/ca-bundle.crt /etc/pki/tls/certs/ca-certificates.crt` solved the problem. (`CURL_CA_BUNDLE` env var didn't work) – GabLeRoux Feb 14 '17 at 03:33
On my ubuntu this fixed the issue: `sudo ln -s /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.pem`. I was actually getting `The repository ... does not have a Release file` which was caused by missing certificate ( `Could not load certificates from ...` ). – Marinos An Oct 01 '19 at 10:02

score 141 · Accepted Answer · edited Feb 14 '17 at 18:09

141

This error is related to a missing package: ca-certificates. Install it.

In Ubuntu Linux (and similar distro):

# apt-get install ca-certificates

In CygWin via Apt-Cyg

# apt-cyg install ca-certificates

In Arch Linux (Raspberry Pi)

# pacman -S ca-certificates

The documentation tells:

This package includes PEM files of CA certificates to allow SSL-based applications to check for the authenticity of SSL connections.

As seen at: Debian -- Details of package ca-certificates in squeeze

edited Feb 14 '17 at 18:09

Ionică Bizău

109,027
88
289
474

answered Nov 15 '12 at 15:41

Rubens Mariuzzo

28,358
27
121
148

127

ca-certificates is already the newest version, yet I'm still getting the error – Pastor Bones Jan 10 '13 at 17:09
2

Of course, you'll get this same error if you try to install apt-cyg via the recommended method using curl and https://raw.github.com. – 10gistic Jun 23 '13 at 22:26
Works for me in MSYS2. Thanks! – Jul 23 '15 at 17:11
1

Same as Pastor Bones; this answer is poor. – wordsforthewise Sep 08 '16 at 14:03
11

On Arch Linux, you might also need `pacman -S ca-certificates-utils`. I did. – Mark Grimes Sep 08 '16 at 20:23
2

how to do it in windows? – Mahesh K Dec 05 '16 at 06:20
@PastorBones If you're still getting the error, simply reinstall - I fixed in cygwin64 on Windows 10 by doing: `apt-cyg remove ca-certificates` and then `apt-cyg install ca-certificates` – Tisch Jan 06 '17 at 01:37
13

This package is already installed. This answer is not helpful. – JimmyJames Jun 09 '17 at 20:12
30

@PastorBones I had the same issue that the package was already latest, I think it had however been corrupted so a `sudo apt install --reinstall ca-certificates` reinstalled the package and resolved the errors I was seeing – Will Aug 05 '18 at 09:40
I realize that it is perfect for dockerfile to get composer installed, thanks – Oscar Gallardo Dec 04 '18 at 22:34
For anyone using Linux (Ec2) use `sudo yum install ca-certificates` – Aashwiin Roghan Jun 07 '21 at 05:47
Works for me on Ubuntu 22.04. – vincent31337 Jul 24 '22 at 08:24

score 104 · Answer 3 · answered Jun 25 '15 at 20:43

104

Put this into your .bashrc

# fix CURL certificates path
export CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt

(see comment from Robert)

answered Jun 25 '15 at 20:43

Yauhen Yakimovich

13,635
8
60
67

11

Thank you for providing a method that doesn't require me to muck up system files by hand, but still keeps the security of using certificates! – Stephen Johnson Aug 07 '15 at 20:44
Thank you. This solved my similar problem with pyenv & curl. I was using Ubuntu 14.04 and already had ca-certificates installed. – davidA Jul 12 '16 at 00:18
This approach also works with xonsh (add `$CURL_CA_BUNDLE = "/etc/ssl/certs/ca-certificates.crt"` to the `.xonshrc`). – m00am Nov 27 '17 at 08:45
Just in case: The one liner version of this: `CURL_CA_BUNDLE=/path/to/bundle.crt curl http://example.com` – jmathew Jan 09 '18 at 04:29

score 37 · Answer 4 · edited Nov 02 '20 at 18:57

37

Create a file ~/.curlrc with the following content

cacert=/etc/ssl/certs/ca-certificates.crt

as follows

echo "cacert=/etc/ssl/certs/ca-certificates.crt" >> ~/.curlrc

edited Nov 02 '20 at 18:57

Henke

4,445
3
31
44

answered Jul 15 '15 at 08:13

prabeesh

935
9
11

2

the best answer, this worked for me on Linux Mint 17 – Santiago May 23 '18 at 14:15
1

On Mac, it worked with following in `~/.curlrc` `cacert=/etc/openssl/cert.pem` – amirathi Mar 03 '20 at 10:37
did not work for me / ubuntu 18 – pascal sautot Sep 20 '21 at 14:37
@pascalsautot Were you able to solve it ? – Zuha Karim Apr 22 '22 at 01:20

10gistic · Answer 5 · 2015-07-14T18:15:48.947

21

The quickest way to get around the error is add on the -k option somewhere in your curl request. That option "allows connections to SSL cites without certs." (from curl --help)

Be aware that this may mean that you're not talking to the endpoint you think you are, as they are presenting a certificate not signed by a CA you trust.

For example:

$ curl -o /usr/bin/apt-cyg https://raw.github.com/cfg/apt-cyg/master/apt-cyg

gave me the following error response:

curl: (77) error setting certificate verify locations:
  CAfile: /usr/ssl/certs/ca-bundle.crt
  CApath: none

I added on -k:

curl -o /usr/bin/apt-cyg https://raw.github.com/cfg/apt-cyg/master/apt-cyg -k

and no error message. As a bonus, now I have apt-cyg installed. And ca-certificates.

edited Jul 14 '15 at 18:15

answered Jun 23 '13 at 22:32

10gistic

535
3
13

13

That might get around the error, but it also makes the "secure" connection become insecure. – Tim Jul 10 '13 at 18:18
2

Not really. As far as I know, you can't just bypass the encryption of a secure connection, so it's still encrypted and going to only one endpoint. Somebody correct me if I'm wrong, but the only risk you run is that you could fall prey to a man-in-the-middle attack. Still not likely a risk if you're using curl. – 10gistic Jul 29 '13 at 16:46
25

Yes, really. The "-k" option is shorthand for "--insecure". If you have man-in-the-middle what do you think he's doing with your data ? Spoiler alert: he's decrypting it, stealing it, and possibly modifying it and injecting back into the insecure stream. Straight from the man page : "-k, --insecure (SSL) This option explicitly allows curl to perform "insecure" SSL connections and transfers. All SSL connections are attempted to be made secure by using the CA certificate bundle installed by default. This makes all connections considered "insecure" fail unless -k, --insecure is used." – Tim Aug 03 '13 at 10:59
2

If you need SSL you need privacy and verification — the `-k` flag means you're **losing** verification. Depending on your needs this may be acceptable. MITM are non-trivial attacks if you assume your network and the server you're communicating with are secured from interlopers (can you make that assumption?). The risk increases depending on the type of you data (sourcecode and certs are riskier than images). You can verify the integrity of the data after the transfer (checksums etc.) but now you're shifting your trust onto that checksum channel. In the end `-k` gives you quite a bit more work. – Mark Fox Mar 04 '14 at 20:12
So does it mean that if i am using a Self signed certificate. I should be using the option -k. As it may not be possible to verify the Self signed certificate ? – Linus Jul 25 '14 at 10:04
@Linus: No, `-k` would work with *no certificate*. Self-signed certificates should work (if you tell `curl` about them). – serv-inc Oct 23 '15 at 12:58
I'm pretty sure a cert is required for SSL. @Linus you could either use -k, and decide to trust any MITM, or make sure that either your individual cert or the CA you signed with is in your trusted certificates store. – 10gistic Oct 23 '15 at 20:33

Harsha Manjunath · Answer 6 · 2016-06-14T06:56:01.503

16

@roens is correct. This affects all Anaconda users, with below error
curl: (77) error setting certificate verify locations: CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none

The workaround is to use the default system curl and avoid messing with the prepended Anaconda PATH variable. You can either

Rename the Anaconda curl binary :)
mv /path/to/anaconda/bin/curl /path/to/anaconda/bin/curl_anaconda
OR remove Anaconda curl
conda remove curl

$ which curl /usr/bin/curl

[0] Anaconda Ubuntu curl Github issue https://github.com/conda/conda-recipes/issues/352

edited Jun 14 '16 at 06:56

answered Jun 14 '16 at 06:41

Harsha Manjunath

579
5
12

Good find, I didn't realize Anaconda was stealing my path precedence. It worked once I replaced `curl` with the full path `/usr/bin/curl` – jxramos Nov 19 '18 at 01:22

score 16 · Answer 7 · edited Mar 04 '14 at 19:54

From $ man curl:

--cert-type <type>
    (SSL) Tells curl what certificate type the provided  certificate
    is in. PEM, DER and ENG are recognized types.  If not specified,
    PEM is assumed.

    If this option is used several times, the last one will be used.

--cacert <CA certificate>
    (SSL) Tells curl to use the specified certificate file to verify
    the peer. The file may contain  multiple  CA  certificates.  The
    certificate(s)  must be in PEM format. Normally curl is built to
    use a default file for this, so this option is typically used to
    alter that default file.

score 10 · Answer 8 · edited Jan 20 '20 at 00:56

10

If anyone is still having trouble, try this, it worked for me. Delete the files in your /etc/ssl/certs/ directory then reinstall ca-certificates:

sudo apt install ca-certificates --reinstall

Did this when I tried installing Linuxbrew.

edited Jan 20 '20 at 00:56

brian d foy

129,424
31
207
592

answered Nov 24 '19 at 22:36

Michael Enitan

512
6
10

2

This helped me but I didn't delete the files on my machine. Just ran the simple command and curl started working. – Josefhu15 May 17 '20 at 18:50
This was the solution for me – iMe Nov 27 '21 at 13:23

score 8 · Answer 9 · answered Aug 12 '15 at 15:31

8

Another alternative to fix this problem is to disable the certificate validation:

echo insecure >> ~/.curlrc

answered Aug 12 '15 at 15:31

Pablo R. Mier

719
1
7
13

2

Workaround, but it helps me after too much time with curl certificates. Thanks. – K. Gol Apr 12 '18 at 11:06

score 7 · Answer 10 · answered Mar 12 '16 at 10:18

For PHP code running on XAMPP on Windows I found I needed to edit php.ini to include the below

[curl]
; A default value for the CURLOPT_CAINFO option. This is required to be an
; absolute path.
curl.cainfo = curl-ca-bundle.crt

and then copy to a file https://curl.haxx.se/ca/cacert.pem and rename to curl-ca-bundle.crt and place it under \xampp path (I couldn't get curl.capath to work). I also found the CAbundle on the cURL site wasn't enough for the remote site I was connecting to, so used one that is listed with a pre-compiled Windows version of curl 7.47.1 at http://winampplugins.co.uk/curl/

On windows you can also just add "xampp" before php like so: curl.cainfo = "C:\xampp\php\extras\cacert.pem" — Ryan Steyn, Oct 28 '16 at 06:55

score 7 · Answer 11 · answered Dec 21 '16 at 13:51

I had the exact same problem. As it turns out, my /etc/ssl/certs/ca-certificates.crt file was malformed. The last entry showed something like this:

-----BEGIN CERTIFICATE-----
MIIEDTCCAvWgAwIBAgIJAN..lots of certificate text....AwIBAgIJAN-----END CERTIFICATE-----

After adding a newline before -----END CERTIFICATE-----, curl was able handle the certificates file.

This was very annoying to find out since my update-ca-certificates command did not give me any warning.

This may or may not be a version specific problem of curl, so here is my version, just for completeness:

curl --version
# curl 7.51.0 (x86_64-alpine-linux-musl) libcurl/7.51.0 OpenSSL/1.0.2j zlib/1.2.8 libssh2/1.7.0
# Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp 
# Features: IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP UnixSockets

meda · Answer 12 · 2015-10-21T01:38:26.480

5

curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). The default bundle is named curl-ca-bundle.crt; you can specify an alternate file using the --cacert option.

If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL).

If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.

for example

curl --insecure http://........

edited Oct 21 '15 at 01:38

answered Oct 08 '14 at 15:27

meda

45,103
14
92
122

3

Just an aside that "trusting the source" is pretty irrelevant here, since without properly validating the cert against a CA, you have no idea who "the source" is. – Jeff Allen May 30 '15 at 23:06

score 5 · Answer 13 · edited Mar 16 '15 at 13:12

5

This worked for me

sudo apt-get install ca-certificates

then go into the certificates folder at

sudo cd /etc/ssl/certs

then you copy the ca-certificates.crt file into the /etc/pki/tls/certs

sudo cp ca-certificates.crt /etc/pki/tls/certs

if there is no tls/certs folder: create one and change permissions using chmod 777 -R folderNAME

edited Mar 16 '15 at 13:12

Opal

81,889
28
189
210

answered Mar 16 '15 at 12:52

Kwame Yeboah

79
1
1

2

I tried this but this didn't work for me and I still get the same error. Any ideas ? – Anirudh Mar 21 '15 at 11:34
1

`chmod 777` is very insecure (anyone - any process - on that box can change the certs and MitM attack you) - `chmod 755` is much better – Gedge May 11 '21 at 08:36

Daniel Stenberg · Answer 14 · 2016-09-01T11:57:02.943

3

It seems your curl points to a non-existing file with CA certs or similar.

For the primary reference on CA certs with curl, see: https://curl.haxx.se/docs/sslcerts.html

edited Sep 01 '16 at 11:57

answered Jul 01 '10 at 21:52

Daniel Stenberg

54,736
17
146
222

score 3 · Answer 15 · answered Mar 18 '19 at 06:56

Just create the folders, which is missing in your system..

/etc/pki/tls/certs/

and create the file using the following command,

sudo apt-get install ca-certificates

and then copy and paste the certificate to the destination folder, which is showing in your error.. mine was " with message 'error setting certificate verify locations: CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none' in " make sure you paste the file to the exact location mentioned in the error. Use the following command to copy paste..

sudo cp /etc/ssl/certs/ca-certificates.crt /etc/pki/tls/certs/ca-bundle.crt

Fixed.

None of the top answers worked for me but this did! – Prachiti Prakash Prabhu Feb 28 '20 at 20:46 — Prachiti Prakash Prabhu, Feb 28 '20 at 20:46

score 2 · Answer 16 · answered Nov 19 '19 at 10:32

I've got the same problem : I'm building a alpine based docker image, and when I want to curl to a website of my organisation, this error appears. To solve it, I have to get the CA cert of my company, then, I have to add it to the CA certs of my image.

Get the CA certificate

Use OpenSSL to get the certificates related to the website :

openssl s_client -showcerts -servername my.company.website.org -connect my.company.website.org:443

This will output something like :

CONNECTED(00000005)
depth=2 CN = UbisoftRootCA
verify error:num=19:self signed certificate in certificate chain
...
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... 
-----END CERTIFICATE-----
...

Get the last certificate (the content between the -----BEGIN CERTIFICATE----- and the
-----END CERTIFICATE----- markups included) and save it into a file (mycompanyRootCA.crt for example)

Build your image

Then, when you'll build your docker image from alpine, do the following :

FROM alpine
RUN apk add ca-certificates curl
COPY mycompanyRootCA.crt  /usr/local/share/ca-certificates/mycompanyRootCA.crt
RUN update-ca-certificates

Your image will now work properly ! \o/

score 2 · Answer 17 · answered Jan 12 '22 at 21:44

2

For windows :-

Download the certificate from https://curl.se/docs/caextract.html
Rename cacert.pem to curl-ca-bundle.crt
Add the file to any of the below locations

Check this for details https://curl.se/docs/sslcerts.html

answered Jan 12 '22 at 21:44

ssilas777

9,672
4
45
68

I did `curl https://curl.se/ca/cacert.pem -o /etc/ssl/certs/ca-certificates.crt -k` to get a copy of the root certificate curl needs. I am building linux from scratch. – exebook Mar 04 '23 at 14:46

score 2 · Answer 18 · answered Jun 07 '22 at 15:53

I came across this curl 77 problem while was trying to access elasticsearch running in docker container on Ubuntu 20.04 localhost. Afrer container was started:

Check curl without ssl: curl --cacert http_ca.crt -u elastic https://localhost:9200 -k lowercase -k for insecure connection.
Check curl configs: curl-config --configure, noticed what is ca-bundle: --with-ca-bundle=/etc/ssl/certs/ca-certificates.crt.
Copy http_ca.crt file from container to:/usr/local/share/ca-certificates/, original command is here.
Run update on ca-certificates: sudo update-ca-certificates.
Run curl: curl -u elastic:<password> https://localhost:9201.
Finally got response with "tagline" : "You Know, for Search".

Change <password> to the one that was generated when Docker Image was run.
Also notice that on my machine elastic was started on port 9201 (don't know why: sudo ss -tlpn | grep 9200 gives me nothing), I have found the port with: sudo netstat -ntlp and Programm name was docker-proxy.

roens · Answer 19 · 2016-03-17T19:17:50.957

1

For what it's worth, checking which curl is being run is significant too.

A user on a shared machine I maintain had been getting this error. But the cause turned out to be because they'd installed Anaconda (http://continuum.io). Doing so put Anaconda's binary path before the standard $PATH, and it comes with its own curl binary, which had trouble finding the default certs that were installed on this Ubuntu machine.

edited Mar 17 '16 at 19:17

answered Dec 10 '15 at 19:47

roens

333
2
9

1

I recommend checking `which -a curl` to see everything available, and of course noting which one comes on top. – jxramos Nov 19 '18 at 01:23

score 1 · Answer 20 · answered Apr 17 '20 at 04:32

1

Just find this solution works perfectly for me.

echo 'cacert=/etc/ssl/certs/ca-certificates.crt' > ~/.curlrc

I found this solution from here

answered Apr 17 '20 at 04:32

Daniel

325
3
10

score 0 · Answer 21 · answered Jun 19 '17 at 18:25

0

Run following command in git bash that works fine for me

git config --global http.sslverify "false"

answered Jun 19 '17 at 18:25

J4cK

30,459
8
42
54

score 0 · Answer 22 · edited Nov 02 '21 at 07:40

I had this problem as well. My issue was this file:

/usr/ssl/certs/ca-bundle.crt

is by default just an empty file. So even if it exists, you'll still get the error as it doesn't contain any certificates. You can generate them like this:

p11-kit extract --overwrite --format pem-bundle /usr/ssl/certs/ca-bundle.crt

https://github.com/msys2/MSYS2-packages/blob/master/ca-certificates/ca-certificates.install

score 0 · Answer 23 · answered May 24 '21 at 16:26

I use MobaXterm which intern uses Cygwin so even after installing ca-certificates using apt-cyg install ca-certificates problem didn't resolve.

I was still getting the following error:

curl: (77) error setting certificate verify locations: CAfile: /etc/ssl/certs/ca-certificates.crt CApath: none

Then I tried listing the file /etc/ssl/certs/ca-certificates.crt and I couldn't find it. However I could find /usr/ssl/certs/ca-bundle.crt with all standard CA certificates so I copied the file /usr/ssl/certs/ca-bundle.crt as /etc/ssl/certs/ca-certificates.crt and problem got resolved.

score 0 · Answer 24 · answered Feb 28 '23 at 08:59

0

In my case, it was a permission issue

try

sudo curl .....

answered Feb 28 '23 at 08:59

Maverick

1,105
12
41

score 0 · Answer 25 · answered Apr 24 '23 at 13:54

I used to get this error when run composer update And I tried all the commands to reinstall the cert file, but the problem was not solved.

I realized that the error is due to permission So the problem was solved with this command

cd /etc/ssl

sudo chmod 755 -R certs/

How do I deal with certificates using cURL while trying to access an HTTPS url?

25 Answers25

if there is no tls/certs folder: create one and change permissions using chmod 777 -R folderNAME

Get the CA certificate

Build your image

Linked

Related