How to fix curl: (60) SSL certificate: Invalid certificate chain when using sudo

Solution 1:

f you store your CA certificates on the filesystem (in PEM format) you can tell curl to use them with

sudo curl --cacert /path/to/cacert.pem ...

You can also turn off the certificate verification with

sudo curl --insecure ...

Edit: Updated with regard to feedback

If you want to set this permanently, you should create a .curlrc files and place in your home directory. sudo commands may need this file in /var/root The file takes the same options as the command line but without the dashes. One option per line:

cacert=/path/to/my/certs.pem

Solution 2:

Root doesn't read from the current user trust settings, but there are both an admin trust settings and root-user-specific trust settings. (These are also distinct from the system trust settings.) Note, also, that certificate trust settings are somewhat distinct from just adding a certificate to a keychain; you can mark a cert as trusted without fully adding it. (The exact situation here is not clear to me, and the docs I've seen are vague.)

You can mark a cert as trusted for your current user as

$ security add-trusted-cert /path/to/cert.pem

but that doesn't help with root. The solution, as you might now guess, is either to sudo the above, which then marks it as trusted for the root user specifically:

$ sudo security add-trusted-cert /path/to/cert.pem

or to use the -d flag to add it to the admin trust settings:

$ security add-trusted-cert -d /path/to/cert.pem

(OS X will pop up a password dialog to confirm this one.)

Either of the latter two seems to be sufficient for sudo curl.

Reference: https://developer.apple.com/library/mac/Documentation/Darwin/Reference/ManPages/man1/security.1.html

Solution 3:

This is really in the output hint:

echo insecure >> ~/.curlrc

Advantage of using above solution is that it works for all curl commands, but it is not recommended since it may introduce MITM attacks by connecting to insecure and untrusted hosts.

Solution 4:

If you use MacPorts (and the 3rd-party script you mentioned doesn't remove it from $PATH or calls /usr/bin/curl) you can install the certsync and curl ports in this order.

certsync is a tool and a corresponding launchd plist that will export your system keychain to $prefix/etc/openssl/cert.pem and install a symlink $prefix/share/curl/curl-ca-bundle.crt -> $prefix/etc/openssl/cert.pem so MacPorts curl will automatically pick up the certificates. certsync will also automatically update the generated files when you change your system keychain.