cURL is showing certificate error when accessing HTTPS site

book

Article ID: 171331

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

You are using the application cURL to send or retrieve files and web pages from a secured (HTTPS) site but it's failing to establish a connection and showing certificate errors.

Example of error message with cURL for Windows

C:\curl https://www.purple.com
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:--  0:00:01 --:--:--     0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Cause

This issue is caused by one of the following reasons:

  • The WSS root certificate has not been added to Windows certificate store or Linux ca-certificates store.
  • cURL has not been properly installed or set up to identify trusted certificates in the OS' store
    • In Windows, you will need to use a special version or cURL that uses Secure Channel (WinSSL) or specify the certificate everytime you run the program
  • Certificate is not specified when running the cURL command

Environment

  • Windows
  • Ubuntu (Linux)

(Please note that a Linux OS can only be protected via IPSec tunnel or Proxy Forwarding access methods).

Resolution

Add the WSS root certificate to the your operating system store:

Windows:

Ubuntu/Debian

  1. Create a directory for extra CA certificates in /usr/share/ca-certificates:

    sudo mkdir /usr/share/ca-certificates/extra
    
  2. Copy the CertEmulationCA.crt file to this directory:

    sudo cp CertEmulationCA.crt /usr/share/ca-certificates/extra/CertEmulationCA.crt
    
  3. Update ca-certificates configuration to include the recently imported certificate.

    sudo dpkg-reconfigure ca-certificates
    

Alternatively, you can instruct cURL to use the certificate when running the command:

curl --cacert c:\temp\CertEmulationCA.crt https://www.securesite.com/