When working with cURL on Debian systems (particularly older versions like Lenny), you might encounter this SSL verification error even when connecting to trusted sites like Google. This occurs because:
- The default CA certificate bundle is either missing or outdated
- Your system's certificate store isn't properly configured
- The server's intermediate certificates aren't properly chained
For temporary testing purposes, you can bypass SSL verification (not recommended for production):
curl -k https://www.google.comBut this defeats the purpose of SSL verification. Instead, let's implement proper solutions.
On Debian/Ubuntu systems, install the updated CA certificates package:
sudo apt-get update
sudo apt-get install ca-certificatesThen either:
# Option 1: Use system certs
curl --capath /etc/ssl/certs/ https://www.google.com
# Option 2: Specify cert bundle explicitly
curl --cacert /etc/ssl/certs/ca-certificates.crt https://www.google.comIf the above doesn't work, consider these options:
Downloading Mozilla's CA Bundle
wget https://curl.se/ca/cacert.pem -O /usr/local/share/ca-certificates/cacert.pem
sudo update-ca-certificatesCompiling cURL with Proper CA Path
When building from source:
./configure --with-ca-bundle=/etc/ssl/certs/ca-certificates.crt
make
sudo make installFor deeper investigation, use OpenSSL directly:
openssl s_client -connect www.google.com:443 -showcertsThis will show the complete certificate chain and help identify where verification fails.
For scripting scenarios where you can't modify the system configuration:
#!/bin/bash
CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
export CURL_CA_BUNDLE
# Now all curl commands will use the proper cert bundle
curl https://www.google.comFor internal systems with self-signed certs:
# Download the cert first
openssl s_client -connect internal.example.com:443 -showcerts /dev/null | \
awk '/BEGIN CERT/,/END CERT/ {print}' > internal-cert.pem
# Then use it with curl
curl --cacert internal-cert.pem https://internal.example.comWhen you encounter the error curl: (60) SSL certificate problem: unable to get local issuer certificate, it means curl cannot verify the SSL certificate presented by the server because it doesn't trust the Certificate Authority (CA) that issued it. This typically happens when your system lacks the necessary CA root certificates.
Debian Lenny (and older versions) didn't include the ca-certificates package by default. This package contains the Mozilla CA certificate store that most applications, including curl, use to verify SSL certificates.
The most straightforward fix is to install the ca-certificates package:
sudo apt-get update
sudo apt-get install ca-certificates
If you can't install packages or need a temporary workaround, here are other approaches:
1. Use --cacert with a Custom Bundle
Download a CA bundle (like from curl's website) and specify it:
curl --cacert /path/to/cacert.pem https://www.google.com
2. Disable Certificate Verification (Not Recommended)
For testing purposes only, you can disable verification:
curl --insecure https://www.google.com
After implementing any solution, verify it works:
curl -v https://www.google.com
Look for SSL certificate verify ok in the output.
If managing multiple Debian Lenny systems, consider:
# Batch update all systems
for host in host1 host2 host3; do
ssh root@$host "apt-get update && apt-get install -y ca-certificates"
done
If problems continue after installing ca-certificates:
- Check the certificate path:
update-ca-certificates -v - Verify the cert store location:
curl-config --ca - Ensure the time/date is correct:
date