When performing curl from linux host getting following error when request going via Cloud SWG and getting SSL intercepted.
"curl: (60) SSL certificate problem: unable to get local issuer certificate"
Cloud SWG
Access method: IPsec, Explicit proxy
Linux host
Cloud SWG SSL root certificate is not added to CA cert store file which curl is referring to hence the error.
Refer to the following steps:
1. run curl command with -v option for specific site in question to print its verbose output
curl -v https://example.com
2. In curl command output look for line which contains string CAfile:. Path highlited in the following snpahost (i.e. /etc/pki/tls/certs/ca-bundle.crt ) shows the CA cert store file which curl is usign to validated server certificate. When curl doesn't find Cloud SWG SSL root certificate in that CAfile it will display that error.
3. Download Cloud SWG SSL root Certificate file by following steps mentioned on link.
4. Open Cloud SWG SSL root Certificate file downloaded in Step-3 in any text editor application then copy it and append it to the CA cert store file (i.e. /etc/pki/tls/certs/ca-bundle.crt) we've identified in above mentioned Step-2 and save the CA cert store file.
Important note:
You can edit the CA cert store file using any text editor available in your linux host most common ones are (i.e. vi, nano, etc.)
CA cert store filename and its path will be different based on different flavours of linux. Most common ones are listed below:
Debian/Ubuntu/Gentoo etc.
/etc/ssl/certs/ca-certificates.crt
Fedora/RHEL 6
/etc/pki/tls/certs/ca-bundle.crt
CentOS/RHEL 7
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
OpenSUSE
/etc/ssl/ca-bundle.pem
OpenELEC
/etc/pki/tls/cacert.pem