"curl: (60) SSL certificate problem: unable to get local issuer certificate" error with Cloud SWG
search cancel

"curl: (60) SSL certificate problem: unable to get local issuer certificate" error with Cloud SWG

book

Article ID: 386269

calendar_today

Updated On: 01-21-2025

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

When performing curl from linux host getting following error when request going via Cloud SWG and getting SSL intercepted.

"curl: (60) SSL certificate problem: unable to get local issuer certificate"

Environment

Cloud SWG

Access method: IPsec, Explicit proxy

Linux host

Cause

Cloud SWG SSL root certificate is not added to CA cert store file which curl is referring to hence the error.

Resolution

Refer to the following steps:

1. run curl command with -v option for specific site in question to print its verbose output

curl -v https://example.com

2. In curl command output look for line which contains string CAfile:. Path highlited in the following snpahost (i.e. /etc/pki/tls/certs/ca-bundle.crt ) shows the CA cert store file which curl is usign to validated server certificate. When curl doesn't find Cloud SWG SSL root certificate in that CAfile it will display that error. 

3. Download Cloud SWG SSL root Certificate file by following steps mentioned on link.

4. Open Cloud SWG SSL root Certificate file downloaded in Step-3 in any text editor application then copy it and append it to the CA cert store file (i.e. /etc/pki/tls/certs/ca-bundle.crt) we've identified in above mentioned Step-2 and save the CA cert store file.

Important note:

You can edit the CA cert store file using any text editor available in your linux host most common ones are (i.e. vi, nano, etc.)

Additional Information

CA cert store filename and its path will be different based on different flavours of linux. Most common ones are listed below:

Debian/Ubuntu/Gentoo etc.
/etc/ssl/certs/ca-certificates.crt

Fedora/RHEL 6
/etc/pki/tls/certs/ca-bundle.crt

CentOS/RHEL 7
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

OpenSUSE
/etc/ssl/ca-bundle.pem

OpenELEC
/etc/pki/tls/cacert.pem