How do I deal with certificates using cURL while trying to access an HTTPS url?

This error is related to a missing package: ca-certificates. Install it.

In Ubuntu Linux (and similar distro):

# apt-get install ca-certificates

In CygWin via Apt-Cyg

# apt-cyg install ca-certificates

In Arch Linux (Raspberry Pi)

# pacman -S ca-certificates

The documentation tells:

This package includes PEM files of CA certificates to allow SSL-based applications to check for the authenticity of SSL connections.

As seen at: Debian -- Details of package ca-certificates in squeeze

I also had the newest version of ca-certificates installed but was still getting the error:

curl: (77) error setting certificate verify locations:
  CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none

The issue was that curl expected the certificate to be at the path /etc/pki/tls/certs/ca-bundle.crt but could not find it because it was at the path /etc/ssl/certs/ca-certificates.crt.

Copying my certificate to the expected destination by running

sudo cp /etc/ssl/certs/ca-certificates.crt /etc/pki/tls/certs/ca-bundle.crt

worked for me. You will need to create folders for the target destination if they do not exist by running

sudo mkdir -p /etc/pki/tls/certs

If needed, modify the above command to make the destination file name match the path expected by curl, i.e. replace /etc/pki/tls/certs/ca-bundle.crt with the path following "CAfile:" in your error message.

Put this into your .bashrc

# fix CURL certificates path
export CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt

(see comment from Robert)

Create a file ~/.curlrc with the following content

cacert=/etc/ssl/certs/ca-certificates.crt

as follows

echo "cacert=/etc/ssl/certs/ca-certificates.crt" >> ~/.curlrc

The quickest way to get around the error is add on the -k option somewhere in your curl request. That option "allows connections to SSL cites without certs." (from curl --help)

Be aware that this may mean that you're not talking to the endpoint you think you are, as they are presenting a certificate not signed by a CA you trust.

For example:

$ curl -o /usr/bin/apt-cyg https://raw.github.com/cfg/apt-cyg/master/apt-cyg

gave me the following error response:

curl: (77) error setting certificate verify locations:
  CAfile: /usr/ssl/certs/ca-bundle.crt
  CApath: none

I added on -k:

curl -o /usr/bin/apt-cyg https://raw.github.com/cfg/apt-cyg/master/apt-cyg -k

and no error message. As a bonus, now I have apt-cyg installed. And ca-certificates.

@roens is correct. This affects all Anaconda users, with below error
curl: (77) error setting certificate verify locations: CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none

The workaround is to use the default system curl and avoid messing with the prepended Anaconda PATH variable. You can either

1. Rename the Anaconda curl binary :)
   mv /path/to/anaconda/bin/curl /path/to/anaconda/bin/curl_anaconda

2. OR remove Anaconda curl
   conda remove curl

$ which curl /usr/bin/curl

[0] Anaconda Ubuntu curl Github issue https://github.com/conda/conda-recipes/issues/352

From $ man curl:

--cert-type <type>
    (SSL) Tells curl what certificate type the provided  certificate
    is in. PEM, DER and ENG are recognized types.  If not specified,
    PEM is assumed.

    If this option is used several times, the last one will be used.

--cacert <CA certificate>
    (SSL) Tells curl to use the specified certificate file to verify
    the peer. The file may contain  multiple  CA  certificates.  The
    certificate(s)  must be in PEM format. Normally curl is built to
    use a default file for this, so this option is typically used to
    alter that default file.

Another alternative to fix this problem is to disable the certificate validation:

echo insecure >> ~/.curlrc

For PHP code running on XAMPP on Windows I found I needed to edit php.ini to include the below

[curl]
; A default value for the CURLOPT_CAINFO option. This is required to be an
; absolute path.
curl.cainfo = curl-ca-bundle.crt

and then copy to a file https://curl.haxx.se/ca/cacert.pem and rename to curl-ca-bundle.crt and place it under \xampp path (I couldn't get curl.capath to work). I also found the CAbundle on the cURL site wasn't enough for the remote site I was connecting to, so used one that is listed with a pre-compiled Windows version of curl 7.47.1 at http://winampplugins.co.uk/curl/

I had the exact same problem. As it turns out, my /etc/ssl/certs/ca-certificates.crt file was malformed. The last entry showed something like this:

-----BEGIN CERTIFICATE-----
MIIEDTCCAvWgAwIBAgIJAN..lots of certificate text....AwIBAgIJAN-----END CERTIFICATE-----

After adding a newline before -----END CERTIFICATE-----, curl was able handle the certificates file.

This was very annoying to find out since my update-ca-certificates command did not give me any warning.

This may or may not be a version specific problem of curl, so here is my version, just for completeness:

curl --version
# curl 7.51.0 (x86_64-alpine-linux-musl) libcurl/7.51.0 OpenSSL/1.0.2j zlib/1.2.8 libssh2/1.7.0
# Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp 
# Features: IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP UnixSockets 

This worked for me

sudo apt-get install ca-certificates

then go into the certificates folder at

sudo cd /etc/ssl/certs

then you copy the ca-certificates.crt file into the /etc/pki/tls/certs

sudo cp ca-certificates.crt /etc/pki/tls/certs

if there is no tls/certs folder: create one and change permissions using chmod 777 -R folderNAME

curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). The default bundle is named curl-ca-bundle.crt; you can specify an alternate file using the --cacert option.

If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL).

If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.

for example

curl --insecure http://........

It seems your curl points to a non-existing file with CA certs or similar.

For the primary reference on CA certs with curl, see: https://curl.haxx.se/docs/sslcerts.html

Just create the folders, which is missing in your system..

/etc/pki/tls/certs/

and create the file using the following command,

sudo apt-get install ca-certificates

and then copy and paste the certificate to the destination folder, which is showing in your error.. mine was " with message 'error setting certificate verify locations: CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none' in " make sure you paste the file to the exact location mentioned in the error. Use the following command to copy paste..

sudo cp /etc/ssl/certs/ca-certificates.crt /etc/pki/tls/certs/ca-bundle.crt

Fixed.

If anyone is still having trouble, try this, it worked for me. Delete the files in your /etc/ssl/certs/ directory then reinstall ca-certificates:

sudo apt install ca-certificates --reinstall

Did this when I tried installing Linuxbrew.

For what it's worth, checking which curl is being run is significant too.

A user on a shared machine I maintain had been getting this error. But the cause turned out to be because they'd installed Anaconda (http://continuum.io). Doing so put Anaconda's binary path before the standard $PATH, and it comes with its own curl binary, which had trouble finding the default certs that were installed on this Ubuntu machine.

I've got the same problem : I'm building a alpine based docker image, and when I want to curl to a website of my organisation, this error appears. To solve it, I have to get the CA cert of my company, then, I have to add it to the CA certs of my image.

Get the CA certificate

Use OpenSSL to get the certificates related to the website :

openssl s_client -showcerts -servername my.company.website.org -connect my.company.website.org:443

This will output something like :

CONNECTED(00000005)
depth=2 CN = UbisoftRootCA
verify error:num=19:self signed certificate in certificate chain
...
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... 
-----END CERTIFICATE-----
...

Get the last certificate (the content between the -----BEGIN CERTIFICATE----- and the
-----END CERTIFICATE----- markups included) and save it into a file (mycompanyRootCA.crt for example)

Build your image

Then, when you'll build your docker image from alpine, do the following :

FROM alpine
RUN apk add ca-certificates curl
COPY mycompanyRootCA.crt  /usr/local/share/ca-certificates/mycompanyRootCA.crt
RUN update-ca-certificates

Your image will now work properly ! \o/

Run following command in git bash that works fine for me

git config --global http.sslverify "false"

Just find this solution works perfectly for me.

echo 'cacert=/etc/ssl/certs/ca-certificates.crt' > ~/.curlrc

I found this solution from here

I had this problem as well. My issue was this file:

/usr/ssl/certs/ca-bundle.crt

is by default just an empty file. So even if it exists, youll still get the error as it doesnt contain any certificates. You can generate them like this:

p11-kit extract --overwrite --format pem-bundle /usr/ssl/certs/ca-bundle.crt

https://github.com/msys2/MSYS2-packages/blob/master/ca-certificates/ca-certificates.install

I use MobaXterm which intern uses Cygwin so even after installing ca-certificates using apt-cyg install ca-certificates problem didn't resolve.

I was still getting the following error:

curl: (77) error setting certificate verify locations: CAfile: /etc/ssl/certs/ca-certificates.crt CApath: none

Then I tried listing the file /etc/ssl/certs/ca-certificates.crt and I couldn't find it. However I could find /usr/ssl/certs/ca-bundle.crt with all standard CA certificates so I copied the file /usr/ssl/certs/ca-bundle.crt as /etc/ssl/certs/ca-certificates.crt and problem got resolved.