I am getting the following error using curl:
curl: (77) error setting certificate verify locations: CAfile: /etc/ssl/certs/ca-certificates.crt CApath: none
How do I set this certificate verify locations?
![Nimantha's user avatar](data:image/svg+xml,<svg xmlns="http://www.w3.org/2000/svg" width="64" height="64"><rect fill-opacity="0"/></svg>){kind=small}
26 Answers
I also had the newest version of ca-certificates installed but was still getting the error:
curl: (77) error setting certificate verify locations:
CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
The issue was that curl expected the certificate to be at the path /etc/pki/tls/certs/ca-bundle.crt but could not find it because it was at the path /etc/ssl/certs/ca-certificates.crt.
Copying my certificate to the expected destination by running
sudo cp /etc/ssl/certs/ca-certificates.crt /etc/pki/tls/certs/ca-bundle.crt
worked for me. You will need to create folders for the target destination if they do not exist by running
sudo mkdir -p /etc/pki/tls/certs
If needed, modify the above command to make the destination file name match the path expected by curl, i.e. replace /etc/pki/tls/certs/ca-bundle.crt with the path following "CAfile:" in your error message.
answered May 10, 2015 at 18:02
-
41You could also create a symbolic link with
ln -sif don't want to re-copy it every time you update it. Commented Aug 28, 2015 at 8:41 -
4Had same problem for
rescuetimeapp on Fedora 25.sudo ln -s /etc/pki/tls/certs/ca-bundle.crt /etc/pki/tls/certs/ca-certificates.crtsolved the problem. (CURL_CA_BUNDLEenv var didn't work) Commented Feb 14, 2017 at 3:33 -
On my ubuntu this fixed the issue:
sudo ln -s /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.pem. I was actually gettingThe repository ... does not have a Release filewhich was caused by missing certificate (Could not load certificates from ...). Commented Oct 1, 2019 at 10:02
This error is related to a missing package: ca-certificates. Install it.
In Ubuntu Linux (and similar distro):
# apt-get install ca-certificates
In CygWin via Apt-Cyg
# apt-cyg install ca-certificates
In Arch Linux (Raspberry Pi)
# pacman -S ca-certificates
The documentation tells:
This package includes PEM files of CA certificates to allow SSL-based applications to check for the authenticity of SSL connections.
As seen at: Debian -- Details of package ca-certificates in squeeze
answered Nov 15, 2012 at 15:41
-
128ca-certificates is already the newest version, yet I'm still getting the error Commented Jan 10, 2013 at 17:09
-
2Of course, you'll get this same error if you try to install apt-cyg via the recommended method using curl and raw.github.com.– 10gisticCommented Jun 23, 2013 at 22:26
-
11On Arch Linux, you might also need
pacman -S ca-certificates-utils. I did. Commented Sep 8, 2016 at 20:23 -
14This package is already installed. This answer is not helpful. Commented Jun 9, 2017 at 20:12
-
30@PastorBones I had the same issue that the package was already latest, I think it had however been corrupted so a
sudo apt install --reinstall ca-certificatesreinstalled the package and resolved the errors I was seeing– WillCommented Aug 5, 2018 at 9:40
Put this into your .bashrc
# fix CURL certificates path
export CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
(see comment from Robert)
answered Jun 25, 2015 at 20:43
-
12Thank you for providing a method that doesn't require me to muck up system files by hand, but still keeps the security of using certificates! Commented Aug 7, 2015 at 20:44
-
Thank you. This solved my similar problem with pyenv & curl. I was using Ubuntu 14.04 and already had ca-certificates installed.– davidACommented Jul 12, 2016 at 0:18
-
This approach also works with xonsh (add
$CURL_CA_BUNDLE = "/etc/ssl/certs/ca-certificates.crt"to the.xonshrc).– m00amCommented Nov 27, 2017 at 8:45 -
1Just in case: The one liner version of this:
CURL_CA_BUNDLE=/path/to/bundle.crt curl http://example.com– jmathewCommented Jan 9, 2018 at 4:29 -
This was a life-saver. Curl kept looking for certificates at a path that didn't exist on my system - specifically {USER}/Desktop/src/master/cert.ca. I have no idea where it got that from. This single export solved everything.– brugiaCommented Feb 24, 2024 at 13:37
Create a file ~/.curlrc with the following content
cacert=/etc/ssl/certs/ca-certificates.crt
as follows
echo "cacert=/etc/ssl/certs/ca-certificates.crt" >> ~/.curlrc
-
2
-
1On Mac, it worked with following in
~/.curlrccacert=/etc/openssl/cert.pem– amirathiCommented Mar 3, 2020 at 10:37 -
-
The quickest way to get around the error is add on the -k option somewhere in your curl request. That option "allows connections to SSL cites without certs." (from curl --help)
Be aware that this may mean that you're not talking to the endpoint you think you are, as they are presenting a certificate not signed by a CA you trust.
For example:
$ curl -o /usr/bin/apt-cyg https://raw.github.com/cfg/apt-cyg/master/apt-cyg
gave me the following error response:
curl: (77) error setting certificate verify locations:
CAfile: /usr/ssl/certs/ca-bundle.crt
CApath: none
I added on -k:
curl -o /usr/bin/apt-cyg https://raw.github.com/cfg/apt-cyg/master/apt-cyg -k
and no error message. As a bonus, now I have apt-cyg installed. And ca-certificates.
-
14That might get around the error, but it also makes the "secure" connection become insecure.– TimCommented Jul 10, 2013 at 18:18
-
2Not really. As far as I know, you can't just bypass the encryption of a secure connection, so it's still encrypted and going to only one endpoint. Somebody correct me if I'm wrong, but the only risk you run is that you could fall prey to a man-in-the-middle attack. Still not likely a risk if you're using curl.– 10gisticCommented Jul 29, 2013 at 16:46
-
26Yes, really. The "-k" option is shorthand for "--insecure". If you have man-in-the-middle what do you think he's doing with your data ? Spoiler alert: he's decrypting it, stealing it, and possibly modifying it and injecting back into the insecure stream. Straight from the man page : "-k, --insecure (SSL) This option explicitly allows curl to perform "insecure" SSL connections and transfers. All SSL connections are attempted to be made secure by using the CA certificate bundle installed by default. This makes all connections considered "insecure" fail unless -k, --insecure is used."– TimCommented Aug 3, 2013 at 10:59
-
2If you need SSL you need privacy and verification — the
-kflag means you're losing verification. Depending on your needs this may be acceptable. MITM are non-trivial attacks if you assume your network and the server you're communicating with are secured from interlopers (can you make that assumption?). The risk increases depending on the type of you data (sourcecode and certs are riskier than images). You can verify the integrity of the data after the transfer (checksums etc.) but now you're shifting your trust onto that checksum channel. In the end-kgives you quite a bit more work.– Mark FoxCommented Mar 4, 2014 at 20:12 -
So does it mean that if i am using a Self signed certificate. I should be using the option -k. As it may not be possible to verify the Self signed certificate ?– LinusCommented Jul 25, 2014 at 10:04
From $ man curl:
--cert-type <type>
(SSL) Tells curl what certificate type the provided certificate
is in. PEM, DER and ENG are recognized types. If not specified,
PEM is assumed.
If this option is used several times, the last one will be used.
--cacert <CA certificate>
(SSL) Tells curl to use the specified certificate file to verify
the peer. The file may contain multiple CA certificates. The
certificate(s) must be in PEM format. Normally curl is built to
use a default file for this, so this option is typically used to
alter that default file.
answered Mar 29, 2012 at 13:03
@roens is correct. This affects all Anaconda users, with below error
curl: (77) error setting certificate verify locations:
CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
The workaround is to use the default system curl and avoid messing with the prepended Anaconda PATH variable. You can either
Rename the Anaconda curl binary :)
mv /path/to/anaconda/bin/curl /path/to/anaconda/bin/curl_anacondaOR remove Anaconda curl
conda remove curl
$ which curl
/usr/bin/curl
[0] Anaconda Ubuntu curl Github issue https://github.com/conda/conda-recipes/issues/352
-
Good find, I didn't realize Anaconda was stealing my path precedence. It worked once I replaced
curlwith the full path/usr/bin/curl– jxramosCommented Nov 19, 2018 at 1:22
If anyone is still having trouble, try this, it worked for me.
Delete the files in your /etc/ssl/certs/ directory
then reinstall ca-certificates:
sudo apt install ca-certificates --reinstall
Did this when I tried installing Linuxbrew.
-
2This helped me but I didn't delete the files on my machine. Just ran the simple command and curl started working. Commented May 17, 2020 at 18:50
-
Another alternative to fix this problem is to disable the certificate validation:
echo insecure >> ~/.curlrc
answered Aug 12, 2015 at 15:31
-
2Workaround, but it helps me after too much time with curl certificates. Thanks.– K. GolCommented Apr 12, 2018 at 11:06
I had the exact same problem. As it turns out, my /etc/ssl/certs/ca-certificates.crt file was malformed. The last entry showed something like this:
-----BEGIN CERTIFICATE-----
MIIEDTCCAvWgAwIBAgIJAN..lots of certificate text....AwIBAgIJAN-----END CERTIFICATE-----
After adding a newline before -----END CERTIFICATE-----, curl was able handle the certificates file.
This was very annoying to find out since my update-ca-certificates command did not give me any warning.
This may or may not be a version specific problem of curl, so here is my version, just for completeness:
curl --version
# curl 7.51.0 (x86_64-alpine-linux-musl) libcurl/7.51.0 OpenSSL/1.0.2j zlib/1.2.8 libssh2/1.7.0
# Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
# Features: IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP UnixSockets
answered Dec 21, 2016 at 13:51
For PHP code running on XAMPP on Windows I found I needed to edit php.ini to include the below
[curl]
; A default value for the CURLOPT_CAINFO option. This is required to be an
; absolute path.
curl.cainfo = curl-ca-bundle.crt
and then copy to a file https://curl.haxx.se/ca/cacert.pem and rename to curl-ca-bundle.crt and place it under \xampp path (I couldn't get curl.capath to work). I also found the CAbundle on the cURL site wasn't enough for the remote site I was connecting to, so used one that is listed with a pre-compiled Windows version of curl 7.47.1 at http://winampplugins.co.uk/curl/
-
On windows you can also just add "xampp" before php like so: curl.cainfo = "C:\xampp\php\extras\cacert.pem" Commented Oct 28, 2016 at 6:55
This worked for me
sudo apt-get install ca-certificates
then go into the certificates folder at
sudo cd /etc/ssl/certs
then you copy the ca-certificates.crt file into the /etc/pki/tls/certs
sudo cp ca-certificates.crt /etc/pki/tls/certs
if there is no tls/certs folder: create one and change permissions using chmod 777 -R folderNAME
-
2I tried this but this didn't work for me and I still get the same error. Any ideas ?– AnirudhCommented Mar 21, 2015 at 11:34
-
2
chmod 777is very insecure (anyone - any process - on that box can change the certs and MitM attack you) -chmod 755is much better– GedgeCommented May 11, 2021 at 8:36
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). The default
bundle is named curl-ca-bundle.crt; you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
for example
curl --insecure http://........
-
3Just an aside that "trusting the source" is pretty irrelevant here, since without properly validating the cert against a CA, you have no idea who "the source" is. Commented May 30, 2015 at 23:06
It seems your curl points to a non-existing file with CA certs or similar.
For the primary reference on CA certs with curl, see: https://curl.se/docs/sslcerts.html
answered Jul 1, 2010 at 21:52
Just create the folders, which is missing in your system..
/etc/pki/tls/certs/
and create the file using the following command,
sudo apt-get install ca-certificates
and then copy and paste the certificate to the destination folder, which is showing in your error.. mine was " with message 'error setting certificate verify locations: CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none' in " make sure you paste the file to the exact location mentioned in the error. Use the following command to copy paste..
sudo cp /etc/ssl/certs/ca-certificates.crt /etc/pki/tls/certs/ca-bundle.crt
Fixed.
-
1None of the top answers worked for me but this did! Commented Feb 28, 2020 at 20:46
For windows :-
Download the certificate from https://curl.se/docs/caextract.html
Rename cacert.pem to curl-ca-bundle.crt
Add the file to any of the below locations
Check this for details https://curl.se/docs/sslcerts.html
answered Jan 12, 2022 at 21:44
-
I did
curl https://curl.se/ca/cacert.pem -o /etc/ssl/certs/ca-certificates.crt -kto get a copy of the root certificate curl needs. I am building linux from scratch.– exebookCommented Mar 4, 2023 at 14:46
I came across this curl 77 problem while was trying to access elasticsearch running in docker container on Ubuntu 20.04 localhost. Afrer container was started:
Check curl without ssl:
curl --cacert http_ca.crt -u elastic https://localhost:9200 -klowercase-kfor insecure connection.Check curl configs:
curl-config --configure, noticed what is ca-bundle:--with-ca-bundle=/etc/ssl/certs/ca-certificates.crt.Copy http_ca.crt file from container to:
/usr/local/share/ca-certificates/, original command is here.Run update on ca-certificates:
sudo update-ca-certificates.Run curl:
curl -u elastic:<password> https://localhost:9201.
Finally got response with"tagline" : "You Know, for Search".
Change <password> to the one that was generated when Docker Image was run.
Also notice that on my machine elastic was started on port 9201 (don't know why: sudo ss -tlpn | grep 9200 gives me nothing), I have found the port with: sudo netstat -ntlp and Programm name was docker-proxy.
I've got the same problem : I'm building an alpine based docker image, and when I want to curl to a website of my organisation, this error appears. To solve it, I have to get the CA cert of my company, then, I have to add it to the CA certs of my image.
- Get the CA certificate
Use OpenSSL to get the certificates related to the website :
openssl s_client -showcerts -servername my.company.website.org -connect my.company.website.org:443
This will output something like :
CONNECTED(00000005)
depth=2 CN = UbisoftRootCA
verify error:num=19:self signed certificate in certificate chain
...
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
...
Get the last certificate (the content between the -----BEGIN CERTIFICATE----- and the
-----END CERTIFICATE----- markups included) and save it into a file (mycompanyRootCA.crt for example)
- Build your image
Then, when you'll build your docker image from alpine, do the following :
FROM alpine
RUN apk add ca-certificates curl
COPY mycompanyRootCA.crt /usr/local/share/ca-certificates/mycompanyRootCA.crt
RUN update-ca-certificates
Your image will now work properly!
I used to get this error when run composer update And I tried all the commands to reinstall the cert file, but the problem was not solved.
I realized that the error is due to permission So the problem was solved with this command
cd /etc/ssl
sudo chmod 755 -R certs/
answered Apr 24, 2023 at 13:54
For what it's worth, checking which curl is being run is significant too.
A user on a shared machine I maintain had been getting this error. But the cause turned out to be because they'd installed Anaconda (http://continuum.io). Doing so put Anaconda's binary path before the standard $PATH, and it comes with its own curl binary, which had trouble finding the default certs that were installed on this Ubuntu machine.
-
1I recommend checking
which -a curlto see everything available, and of course noting which one comes on top.– jxramosCommented Nov 19, 2018 at 1:23
Just find this solution works perfectly for me.
echo 'cacert=/etc/ssl/certs/ca-certificates.crt' > ~/.curlrc
I found this solution from here
Run following command in git bash that works fine for me
git config --global http.sslverify "false"
I use MobaXterm which intern uses Cygwin so even after installing ca-certificates using apt-cyg install ca-certificates problem didn't resolve.
I was still getting the following error:
curl: (77) error setting certificate verify locations: CAfile: /etc/ssl/certs/ca-certificates.crt CApath: none
Then I tried listing the file /etc/ssl/certs/ca-certificates.crt and I couldn't find it. However I could find /usr/ssl/certs/ca-bundle.crt with all standard CA certificates so I copied the file /usr/ssl/certs/ca-bundle.crt as /etc/ssl/certs/ca-certificates.crt and problem got resolved.
I had this problem as well. My issue was this file:
/usr/ssl/certs/ca-bundle.crt
is by default just an empty file. So even if it exists, you'll still get the error as it doesn't contain any certificates. You can generate them like this:
p11-kit extract --overwrite --format pem-bundle /usr/ssl/certs/ca-bundle.crt
https://github.com/msys2/MSYS2-packages/blob/master/ca-certificates/ca-certificates.install
In my case (on Mac) I had a /etc/ssl/cert_new.pem instead of the default cert filename /etc/ssl/cert.pem. So I run sudo cp cert_new.pem cert.pem and all the ssl issues fixed.
In my case, it was a permission issue
try
sudo curl .....
ca-certificatesinstalled but the error persisted. The problem was that my certificates were located in/etc/ssl/certs/ca-certificates.crtinstead of/etc/pki/tls/certs/ca-bundle.crt, so I just had to set the environmental variableCURL_CA_BUNDLEto the correct path.export CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt.