17

I am using Ubuntu 14.04. When I use curl, I get the following error:

curl: (77) error setting certificate verify locations: CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath:

From what I gather from googling, the CAfile location it is looking for is not correct for Ubuntu (and it doesn't exist on my computer), /etc/ssl/certs/ca-certificates.crt is the proper location.

Most of the solutions involved setting the environment variable CURL_CA_BUNDLE to the proper location, or adding cacert=/etc/ssl/certs/ca-certificates.crt to the (newly created) .curlrc file in my home directory. I have tried both, and neither completely solve the issue. curl is finding this location, but it still doesn't work, giving the error:

curl: (60) SSL certificate problem: self signed certificate in certificate chain

I also tried uninstalling and reinstalling curl in Ubuntu, and updating my CA certs with $ sudo update-ca-certificates --fresh which updated the certs, but still didn't make error 60 go away.

I am not that knowledgeable about CA certs, and doubt I purposely added some self signed certificate in the past. Perhaps by accident, I don't know.

Does anyone know how to fix this? Is there a way to actually start fresh with all my certs? Or does anyone even know how I go about figuring out where this self signed certificate is, and then how to remove it?

PS: I don't want to use the -k (aka --insecure) flag. I want to get this working securely.

themaninthewoods
  • 593
  • 2
  • 4
  • 11

6 Answers6

12

After researching and working on this over the last couple days I got it to work, and the answer ended up being rather simple.

I needed to set capath=/etc/ssl/certs/in my .curlrc file.

This got curl working on the command line. To further get curl to work in R (where I first encountered the problem) I also needed to have cacert=/etc/ssl/certs/ca-certificates.crt in my .curlrc file as tried before, otherwise it continued to look for /etc/pki/tls/certs/ca-bundle.crt

I still have no idea why I was seeing the error about self-signed certificates.

Based on some other random findings I also downloaded a certificate from the Curl website with:

sudo wget https://curl.se/ca/cacert.pem

into the same certs directory. Having cafile pointed at this worked as well. In the end I put it back to ca-certificates.crt and it still works.

I don't understand exactly why this worked or what is going on, but it is resolved.

Tsvetomir Tsonev
  • 105
themaninthewoods
  • 593
  • 2
  • 4
  • 11
10

cafile key does not work for me (curl 7.45.0) but cacert (from --cacert option) does. My .curlrc file:

capath=/etc/ssl/certs/
cacert=/etc/ssl/certs/ca-certificates.crt
Duke
  • 201
2

After researching for a few times I got it to work, and the answer ended up being rather a simple one.

Open terminal ctrl+alt+t and change working directory:

 cd /etc/ssl/certs/

Download pem file in the certs folder

 sudo wget https://curl.se/ca/cacert.pem

Now open the file .curlrc

nano ~/.curlrc

Add the below lines in the open file

capath=/etc/ssl/certs/
cacert=/etc/ssl/certs/ca-certificates.crt

Now save the file and do your things using curl command.

N.B Here I used nano editor, but you can use any editor.

Tsvetomir Tsonev
  • 105
PyDevSRS
  • 121
  • 2
0

Here's an alternative way to bypass it:

echo insecure >> ~/.curlrc
Benyamin Jafari
  • 4,234
  • 4
  • 27
  • 37
0

This works for me. Just making a symbolic link ln -s /etc/ssl/certs/ca-certificates.crt /etc/pki/tls/certs/ca-bundle.crt

Lingheng Meng
  • 1
0

We faced same problem with one of our C++ programs in Ubuntu 14.04.5. The .curlrc method was not taking effect.

This was solved by downloading the ca-certificates.crt to /etc/ssl/certs/ca-certificates.crt and creating a symbolic link ca-bundle.crt under /etc/pki/tls/certs/ directory.

Hope this helps!

Zanna
  • 72,312
Tamil
  • 1