Curl SSL Certificate: unable to get local issuer certificate

when using curl in verbose mode, I get this error: Command:

$ curl -vvI https://www.google.com

Error:

  • successfully set certificate verify locations:
  • CAfile: none CApath: /etc/ssl/certs
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
  • TLSv1.3 (IN), TLS handshake, Certificate (11):
  • TLSv1.3 (OUT), TLS alert, unknown CA (560):
  • SSL certificate problem: unable to get local issuer certificate
  • Closing connection 0

But if I send the same command with sudo, the connection is setup successfully, so I guess it's a permission issue.

This is what I get with namei command:

$ namei -mo /etc/ssl/certs/ca-certificates.crt

f: /etc/ssl/certs/ca-certificates.crt
drwxr-xr-x root root /
drwxr-xr-x root root etc
drwxr-xr-x root root ssl
drw-r--r-- root root certs
                     ca-certificates.crt - Permission denied

So I issued this command:

$ sudo chmod 755 /etc/ssl/certs/ca-certificates.crt

That was executed without errors, but the output of namei command is the same.

Same thing with /etc/ssl/certs/certificate.crt

Finally, if I send this command:

$ sudo ls -l /etc/ssl/certs/ca-certificates.crt

I get:

-rwxr-xr-x 1 root root 218664 lug 19 18:51 /etc/ssl/certs/ca-certificates.crt

Solution 1:

You can't access files in the /etc/ssl/certs directory because it is missing search permission (x). You may fix that with chmod, e.g.: chmod a+x /etc/ssl/certs