Knowledge

curl (60) SSL certificate problem: unable to get local issuer certificate

#Errors

This curl error means it could not verify the remote server certificate against a trusted root. Usually the local CA bundle is outdated or missing, not a problem with the remote site.

Published by Mark van Eijk on June 23, 2026 · 1 minute read

  1. About the error
  2. Why do I see this error
  3. Solution
  4. Update the CA bundle (the right fix)
  5. Point curl at a specific CA bundle
  6. Diagnose with verbose output
  7. Do not disable verification

About the error

The message reads:

curl: (60) SSL certificate problem: unable to get local issuer certificate

curl connected over TLS but couldn't build a trust chain from the server's certificate up to a root certificate it knows. To verify a certificate, curl needs the issuing CA certificates available locally. If it can't find them, it errors out rather than trusting blindly.

Why do I see this error

  • The system's CA certificate bundle is outdated or missing.
  • The server doesn't send its full chain, so an intermediate certificate in the chain is absent.
  • The certificate (or an intermediate) has expired.
  • The machine's clock is wrong, certificates are time-sensitive, so a bad system time breaks verification.

Solution

Update the CA bundle (the right fix)

On Debian or Ubuntu:

sudo apt update
sudo apt install --reinstall ca-certificates
sudo update-ca-certificates

On RHEL, CentOS or Fedora:

sudo yum reinstall ca-certificates
sudo update-ca-trust

This refreshes the trusted roots and resolves the error in the vast majority of cases.

Point curl at a specific CA bundle

If the certificates are installed but curl still can't find them, tell it where to look:

curl --cacert /etc/ssl/certs/ca-certificates.crt https://example.com

For PHP's curl, set the path in php.ini so every request uses it:

curl.cainfo = "/etc/ssl/certs/ca-certificates.crt"
openssl.cafile = "/etc/ssl/certs/ca-certificates.crt"

Diagnose with verbose output

To see exactly where the chain breaks:

curl -v https://example.com

Do not disable verification

You'll see advice to use curl -k (or CURLOPT_SSL_VERIFYPEER = false in code). That turns off certificate verification entirely and exposes you to man-in-the-middle attacks. Fix the trust store instead. If you're chasing other curl trouble on older servers, see error in the HTTP/2 framing layer.

Subscribe to our newsletter

Do you want to receive regular updates with fresh and exclusive content to learn more about web development, hosting, security and performance? Subscribe now!