Ivan Melnyk Blog

Curl SSL Certificates problem

by

Ivan Melnyk
in ,
Spread the love

If some day you’ll try to get the content of some website under HTTPS protocol using the curl utility and see the error like:

ubuntu@ubuntu:~$ curl https://nodejs.org/dist/
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

You will find the solution here.

In my case it was https://nodejs.org/dist/ resource, I was trying to list the available nodejs dists using the nvm command:

nvm ls-remote

And it was listing only N/A and nothing related to the curl SSL CA certificates issues showed up.

I started researching and found this and this web pages. So basically nothing wrong with my just installed NVM or curl utility, the issue was with the ca-certificates.crt file located in /etc/ssl/certs/ folder (in Ubuntu), it simply did not has the latest CA certificates from nodejs.org domain.

Following the instructions from the official curl website I managed this issue as follows:

First I need to extract CA certificate in PEM format from the needed resource (in my case it is nodejs.org), I’m using openssl tool:

openssl s_client -showcerts -servername nodejs.org -connect nodejs.org:443 > cacert.pem

The CA certificate is stored to local file cacert.pem, now all blocks within (inclusive):

-----BEGIN CERTIFICATE-----
...
...
...
-----END CERTIFICATE-----

needs to be added to the end of /etc/ssl/certs/ca-certificates.crt file, just append it (don’t forget to leave one empty line in the end of the file).

Update

After further research I figured out that the approach above is not very common and might not help in every SSL certificates missing related issues. Sometimes better to run the special update command which might help faster and in more convenient way:

sudo update-ca-certificates -v
#for fresh
sudo update-ca-certificates -v -f

If this did not help, you can try to download the latest version of ca-certificates from the Ubuntu/Debian source repository and install it manually, for example:

wget http://security.ubuntu.com/ubuntu/pool/main/c/ca-certificates/ca-certificates_20240203_all.deb && \
#uninstall previous ca-certificates
sudo dpkg --purge --force-depends ca-certificates
# install manually from downloaded
sudo dpkg -i ca-certificates_20240203_all.deb

In case if it still did not work but you need (like I was) to use nvm, you can try to set the NodeJS Mirror URL:

export NVM_NODEJS_ORG_MIRROR=http://nodejs.org/dist

That’s it, try now, the issue should be resolved.

Comments

Leave a Reply