How to Fix and Update cURL CA Certificate Bundle on RedHat Linux


2 views

When working with cURL on RedHat systems, you might encounter SSL certificate verification errors like:

curl: (60) SSL certificate problem: unable to get local issuer certificate
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

This typically occurs when the Certificate Authority (CA) bundle used by cURL becomes outdated or doesn't contain the root certificates needed to verify the SSL certificates of the sites you're accessing.

First, let's check where cURL is looking for CA certificates:

curl --version | grep -i ca

This will show you the default CA path. On most RedHat systems, it's either:

  • /etc/pki/tls/certs/ca-bundle.crt
  • /etc/ssl/certs/ca-certificates.crt

There are several ways to update the CA bundle on RedHat systems:

Method 1: Using yum/dnf update

sudo yum update ca-certificates
# Or for newer RedHat versions:
sudo dnf update ca-certificates

Method 2: Manual Update from Mozilla

# Download the latest bundle
wget https://curl.se/ca/cacert.pem -O /etc/pki/tls/certs/ca-bundle.crt

# Or alternatively:
wget https://curl.se/ca/cacert.pem -O /usr/local/share/ca-certificates/cacert.pem
update-ca-trust

Method 3: Using update-ca-trust

sudo update-ca-trust enable
sudo update-ca-trust extract

After updating, verify that cURL can now successfully verify SSL certificates:

curl -I https://github.com

If you still get errors, you might need to specify the CA bundle path explicitly:

curl --cacert /etc/pki/tls/certs/ca-bundle.crt https://example.com

While not recommended for production, you can temporarily bypass SSL verification during testing:

curl --insecure https://example.com

Or in your scripts/code:

CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => false,

To keep your CA bundle updated automatically, create a cron job:

0 1 * * * root /usr/bin/yum update -y ca-certificates && /usr/bin/update-ca-trust

When you encounter the error SSL3_GET_SERVER_CERTIFICATE:certificate verify failed in Red Hat, it typically means your CA certificate bundle is either:

  • Missing entirely
  • Outdated and doesn't contain the latest root certificates
  • Pointing to the wrong location

First, check where your system currently looks for CA certificates:

curl --version | grep "SSL"
openssl version -a | grep OPENSSLDIR

The most common locations for CA bundles in Red Hat systems are:

/etc/pki/tls/certs/ca-bundle.crt
/etc/ssl/certs/ca-certificates.crt

For Red Hat Enterprise Linux 7/8/9, use this command to update the ca-certificates package:

sudo yum update ca-certificates -y

For newer versions using dnf:

sudo dnf update ca-certificates --refresh

If the package update doesn't solve your issue, you can manually update the bundle:

sudo curl -o /etc/pki/tls/certs/ca-bundle.crt https://curl.se/ca/cacert.pem

Test with a known good HTTPS endpoint:

curl -I https://github.com

You should see HTTP headers returned without certificate errors.

For temporary testing only (never in production):

curl --insecure https://example.com

To make cURL always use a specific CA bundle:

echo "cacert = /etc/pki/tls/certs/ca-bundle.crt" >> ~/.curlrc

Or system-wide configuration:

echo "CURL_CA_BUNDLE=/etc/pki/tls/certs/ca-bundle.crt" | sudo tee -a /etc/environment
  • Verify file permissions: ls -l /etc/pki/tls/certs/ca-bundle.crt
  • Check SELinux context: ls -Z /etc/pki/tls/certs/ca-bundle.crt
  • Verify certificate expiration: openssl x509 -enddate -noout -in /etc/pki/tls/certs/ca-bundle.crt