cURL is showing certificate error when accessing HTTPS site
search cancel

cURL is showing certificate error when accessing HTTPS site

book

Article ID: 171331

calendar_today

Updated On: 12-01-2022

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

You are using the application cURL to send or retrieve files and web pages from a secured (HTTPS) site but it's failing to establish a connection and showing certificate errors.

Example of error message with cURL for Windows

C:\curl https://www.purple.com
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:--  0:00:01 --:--:--     0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Environment

  • Windows
  • Ubuntu (Linux)

(Please note that a Linux OS can only be protected via IPSec tunnel or Proxy Forwarding access methods).

Cause

This issue is caused by one of the following reasons:

  • The Cloud SWG root certificate has not been added to Windows certificate store or Linux ca-certificates store.
  • cURL has not been properly installed or set up to identify trusted certificates in the OS' store
    • In Windows, you will need to use a special version or cURL that uses Secure Channel (WinSSL) or specify the certificate everytime you run the program
  • Certificate is not specified when running the cURL command

Resolution

Add the Cloud SWG root certificate to the your operating system store:

Windows:

Ubuntu/Debian

  1. Create a directory for extra CA certificates in /usr/share/ca-certificates:

    sudo mkdir /usr/share/ca-certificates/extra

  2. Copy the CertEmulationCA.crt file to this directory:

    sudo cp CertEmulationCA.crt /usr/share/ca-certificates/extra/CertEmulationCA.crt

  3. Update ca-certificates configuration to include the recently imported certificate.

    sudo dpkg-reconfigure ca-certificates

Alternatively, you can instruct cURL to use the certificate when running the command:

curl --cacert c:\temp\CertEmulationCA.crt https://www.securesite.com/
Powered by Wolken Software