How to fix curl: (60) SSL certificate: Invalid certificate chain

Question

I get the following error running curl https://npmjs.org/install.sh | sh on Mac OSX 10.9 (Mavericks):

install npm@latest
curl: (60) SSL certificate problem: Invalid certificate chain
More details here: http://curl.haxx.se/docs/sslcerts.html

How do I fix this?

The npm install script attempts to connect to https://registry.npmjs.org which has a certificate error. My instructions below resolve this issue. — Lewis Buckley, Nov 01 '13 at 09:42

Steen · Answer 1 · 2014-04-18T12:32:52.507

137

First off, you should be wary of urls that throw SSL errors. That being said, you can suppress certificate errors in curl with

curl -k https://insecure.url/content-i-really-really-trust

edited Apr 18 '14 at 12:32

answered Mar 04 '14 at 11:41

Steen

6,573
3
39
56

1

This is the most logical answer ("Use -k after `culr` command") Thankx @Steen. – Tharusha Aug 14 '18 at 09:32
Problem was, I wasn't sure where it was being run (I was installing craft) so I had to go Lewis Buckley's way – TheTechRobo the Nerd Jun 18 '20 at 15:08
3

``-k`` or ``--insecure`` Allow insecure server connections when using SSL – Carson Feb 23 '21 at 07:21
1

This reminds me of the "xkcd" cartoon about "sudo": https://xkcd.com/149/. ALL of my attempts at using using curl ALWAYS resulted in errors! Because of this post, I now add "-k". Everything works. Thanks. – Mark Bower Dec 08 '21 at 05:41

Lewis Buckley · Accepted Answer · 2013-11-01T09:41:54.330

83

Using the Safari browser (not Chrome, Firefox or Opera) on Mac OS X 10.9 (Mavericks) visit https://registry.npmjs.org

Screenshot of Safari showing certificate error

Click the Show certificate button and then check the checkbox labelled Always trust. Then click Continue and enter your password if required.

Always trust checkbox

Curl should now work with that URL correctly.

edited Nov 01 '13 at 09:41

answered Oct 31 '13 at 12:10

Lewis Buckley

1,583
15
22

1

Sure. Looks like the certificate is valid for https://npmjs.org but not the subdomain https://registry.npmjs.org. If you look at the source of install.sh it attempts to use curl to then download from https://registry.npmjs.org. So you need to visit https://registry.npmjs.org rather than https://npmjs.org to trigger the certificate error, where you can then choose to trust the certificate. – Lewis Buckley Nov 06 '13 at 01:40
1

I was unable to run "curl https://npmjs.org/install.sh | sh" until I did this. You're a life-saver! – mmmeff Nov 10 '13 at 19:30
This answer is a better solution, in my opinion: http://superuser.com/questions/721778/can-not-clone-any-git-repository-from-github. Remove DigiCert root certificates from the Login keychain. – wizonesolutions Mar 16 '14 at 21:47
1

I had this problem with the Github certificate, and this worked for it as well. I have been having problems since Github replaced their certificate due to the #heartbleed exploit. – Huckphin Apr 10 '14 at 16:34
Can you explain exactly what Safari did when you clicked that button? I assume the remove certificate was copied someplace locally, but did it go to the java cacert, or to your keychain, or some other file? Knowing you can fix it is good, but knowing what happens is even better. – Tony Giaccone Oct 29 '14 at 13:28
1

Safari uses keychain so I presume trusting the certificate adds it to the list of trusted certificates system-wide, which also allows curl to work with the same certificate. This could be verified by checking Keychain Access after trusting the certificate in Safari. – Lewis Buckley Oct 29 '14 at 14:40

ChrisJ · Answer 3 · 2017-11-02T03:04:35.507

NOTE: This answer obviously defeats the purpose of SSL and should be used sparingly as a last resort.

For those having issues with scripts that download scripts that download scripts and want a quick fix, create a file called ~/.curlrc

With the contents

--insecure

This will cause curl to ignore SSL certificate problems by default.

Make sure you delete the file when done.

UPDATE

12 days later I got notified of an upvote on this answer, which made me go "Hmmm, did I follow my own advice remember to delete that .curlrc?", and discovered I hadn't. So that really underscores how easy it is to leave your curl insecure by following this method.

score 19 · Answer 4 · answered Aug 02 '14 at 18:04

19

The problem is an expired intermediate certificate that is no longer used and must be deleted. Here is a blog post from Digicert explaining the issue and how to resolve it.

https://blog.digicert.com/expired-intermediate-certificate/

I was seeing the issue with Github not loading via SSL in both Safari and the command line with git pull. Once I deleted the old expired cert everything was fine.

answered Aug 02 '14 at 18:04

Glenn Rempe

301
2
4

In addition to adding intermediate certificates and removing the expired ones, I also need to remove certificates were signed by unknown authority. These can be found in **"Logins"** Keychains. They use the same icon with non-expired certificates. So you need to highlight one by one (see [picture](http://i.stack.imgur.com/4ZJoY.png)). These certs were added when you click "Continue" to a browser warning. – Dida Oct 18 '15 at 04:01

scarver2 · Answer 5 · 2014-03-04T13:37:24.467

8

After updating to OS X 10.9.2, I started having invalid SSL certificate issues with Homebrew, Textmate, RVM, and Github.

When I initiate a brew update, I was getting the following error:

fatal: unable to access 'https://github.com/Homebrew/homebrew/': SSL certificate problem: Invalid certificate chain
Error: Failure while executing: git pull -q origin refs/heads/master:refs/remotes/origin/master

I was able to alleviate some of the issue by just disabling the SSL verification in Git. From the console (a.k.a. shell or terminal):

git config --global http.sslVerify false

I am leary to recommend this because it defeats the purpose of SSL, but it is the only advice I've found that works in a pinch.

I tried rvm osx-ssl-certs update all which stated Already are up to date.

In Safari, I visited https://github.com and attempted to set the certificate manually, but Safari did not present the options to trust the certificate.

Ultimately, I had to Reset Safari (Safari->Reset Safari... menu). Then afterward visit github.com and select the certificate, and "Always trust" This feels wrong and deletes the history and stored passwords, but it resolved my SSL verification issues. A bittersweet victory.

edited Mar 04 '14 at 13:37

answered Mar 04 '14 at 12:46

scarver2

7,887
2
53
61

1

Setting the git config --global http.sslVerify false helped me with our self-signed certificate as I didn't have a chain file. – djneely Mar 04 '14 at 21:41
I've tried this on Mavericks and removing the DigiCert High Assurance EV Root CA certificate & reseting safari did fix my issue. – Maverick Mar 30 '14 at 23:29
1

`rvm osx-ssl-certs update all` fixed it for me. Thanks! – jefflunt Aug 01 '14 at 18:14
how do you reverse: git config --global http.sslVerify false – SuperUberDuper Feb 16 '15 at 14:52
1

There is no such option as Reset Safari anymore – pronebird Nov 29 '16 at 14:31
@SuperUberDuper You can reverse the command with `git config --global http.sslVerify true` – Stefan Gruenwald Dec 09 '22 at 04:27
I have no idea what this even was now – SuperUberDuper Dec 09 '22 at 12:31

score 7 · Answer 6 · edited Sep 12 '22 at 03:39

7

On MacOS High Sierra/10.13:

~$brew install curl ca-certificates works like a charm for me.

edited Sep 12 '22 at 03:39

smci

32,567
20
113
146

answered Jan 21 '22 at 00:08

Constantine Kurbatov

685
9
12

That says '==> Searching taps on GitHub... Error: No formulae found in taps.' – joachim Feb 12 '22 at 13:57
Weird. Just checked in Catalina, worked as well. What mac version? – Constantine Kurbatov Feb 12 '22 at 21:38
2

10.14.6. I've updated homebrew now and it's working! – joachim Feb 13 '22 at 14:18
1

You da man! Works great on MacOS – smci Sep 12 '22 at 06:11

score 3 · Answer 7 · answered Mar 26 '14 at 23:28

3

Another cause of this can be duplicate keys in your KeyChain. I've seen this problem on two macs where there were duplicate "DigiCert High Assurance EV Root CA". One was in the login keychain, the other in the system one. Removing the certificate from the login keychain solved the problem.

This affected Safari browser as well as git on the command line.

answered Mar 26 '14 at 23:28

Matt Connolly

9,757
2
65
61

1

+1 because this was exactly my issue. The root was definitely trusted, but I had two copies of "DigiCert High Assurance EV Root CA" somehow. – tomo Jun 19 '14 at 13:03

score 3 · Answer 8 · answered Jun 24 '21 at 23:33

Let's say you try to download something using curl or install hub using brew, then, you get an error like:

==> Downloading https://ghcr.io/v2/linuxbrew/core/ncurses/manifests/6.2
curl: (60) SSL certificate problem: unable to get local issuer certificate

Then, let ghcr.io being the server, execute following commands:

cd ~
# Download the cert:
openssl s_client -showcerts -servername ghcr.io  -connect ghcr.io:443 > cacert.pem
# type "quit", followed by the "ENTER" key / or Ctrl+C
# see the data in the certificate:
openssl x509 -inform PEM -in cacert.pem -text -out certdata-ghcr.io.txt
# move the file to certificate store directory:
sudo mv cacert.pem /usr/local/share/ca-certificates/cacert-ghcr.io.crt
# update certificates
sudo update-ca-certificates
# done !

References

This is correct, and it is annoying it is so far down. Just a small correction, you want to move certdata-ghcr.io.txt and not cacret.pem. Another general note is to avoid using multiple periods (.io.crt) and just use (.crt) to be on the safer side. By the way, I wonder if someone could make a one-liner for this :) — Stardust, Jan 05 '23 at 17:20
@Stardust, is this helpful?: https://stackoverflow.com/a/70011298/5078874 I found an "enhanced" option (2) and shared it there — Adrian Escutia Soto, Jan 09 '23 at 17:28

score 2 · Answer 9 · answered Mar 22 '18 at 04:09

After attempting all of the above solutions to eliminate the "curl: (60) SSL certificate problem: unable to get local issuer certificate" error, the solution that finally worked for me on OSX 10.9 was:

Locate the curl certificate PEM file location 'curl-config --ca' -- > /usr/local/etc/openssl/cert.pem
Use the folder location to identify the PEM file 'cd /usr/local/etc/openssl'
Create a backup of the cert.pem file 'cp cert.pem cert_pem.bkup'
Download the updated Certificate file from the curl website 'sudo wget http://curl.haxx.se/ca/cacert.pem'
Copy the downloaded PEM file to replace the old PEM file 'cp cacert.pem cert.pem'

This is a modified version of a solution posted to correct the same issue in Ubuntu found here:

https://serverfault.com/questions/151157/ubuntu-10-04-curl-how-do-i-fix-update-the-ca-bundle

This!!!! Yes, I am running an older MacOS (Mojave) and replacing this cert was the exact fix!!! Thank you so much. This problem is different than the others because it worked everywhere else except the command line and all my certs were valid in my keychain and it worked fine on other computers even on command line. — pathfinder, Nov 15 '21 at 06:01

score 1 · Answer 10 · answered Dec 07 '14 at 21:26

I started seeing this error after installing the latest command-line tools update (6.1) on Yosemite (10.10.1). In this particular case, a reboot of the system fixed the error (I had not rebooted since the update).

Mentioning this in case anyone with the same problem comes across this page, like I did.

score 1 · Answer 11 · edited Jun 19 '20 at 08:26

In some systems like your office system, there is sometimes a firewall/security client that is installed for security purpose. Try uninstalling that and then run the command again, it should start the download.

My system had Netskope Client installed and was blocking the ssl communication.

Search in finder -> uninstall netskope, run it, and try installing homebrew:

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"

PS: consider installing the security client.

score 0 · Answer 12 · answered Jul 14 '22 at 09:26

If you are behind a corporate firewall like Palo Alto it will intercept all TLS/SSL traffic, inspect it and re-encrypt it using its own using self-signed certificates. Although these certificates will typically be available on your workstation, the various programs like npm, Git, curl, etc. will not inherit them from the workstation.

If you are working in an enterprise do not use the -k or --insecure option because this turns of the TLS/SSL encryption completely and opens up you and your organization to compromise

The solution is to add this self signed certificate to the specific certificate chain that is used by the program you are trying to use. I have included a link to Adrian Escutia Soto's answer which is the best way of addressing this. Unfortunately, I cannot comment or upvote on it because I don't have enough reputation points

How to fix curl: (60) SSL certificate: Invalid certificate chain

12 Answers12

References

Linked