How to fix CA cert issues with Curl in Ubuntu 14.04?

ssl curl certificates

I am using Ubuntu 14.04. When I use curl, I get the following error:

curl: (77) error setting certificate verify locations: CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath:

From what I gather from googling, the CAfile location it is looking for is not correct for Ubuntu (and it doesn't exist on my computer), /etc/ssl/certs/ca-certificates.crt is the proper location.

Most of the solutions involved setting the environment variable CURL_CA_BUNDLE to the proper location, or adding cacert=/etc/ssl/certs/ca-certificates.crt to the (newly created) .curlrc file in my home directory. I have tried both, and neither completely solve the issue. curl is finding this location, but it still doesn't work, giving the error:

curl: (60) SSL certificate problem: self signed certificate in certificate chain

I also tried uninstalling and reinstalling curl in Ubuntu, and updating my CA certs with $ sudo update-ca-certificates --fresh which updated the certs, but still didn't make error 60 go away.

I am not that knowledgeable about CA certs, and doubt I purposely added some self signed certificate in the past. Perhaps by accident, I don't know.

Does anyone know how to fix this? Is there a way to actually start fresh with all my certs? Or does anyone even know how I go about figuring out where this self signed certificate is, and then how to remove it?

PS: I don't want to use the -k (aka --insecure) flag. I want to get this working securely.


Solution 1:

After researching and working on this over the last couple days I got it to work, and the answer ended up being rather simple.

I needed to set capath=/etc/ssl/certs/in my .curlrc file.

This got curl working on the command line. To further get curl to work in R (where I first encountered the problem) I also needed to have cacert=/etc/ssl/certs/ca-certificates.crt in my .curlrc file as tried before, otherwise it continued to look for /etc/pki/tls/certs/ca-bundle.crt

I still have no idea why I was seeing the error about self-signed certificates.

Based on some other random findings I also downloaded a certificate from the Curl website with:

sudo wget https://curl.se/ca/cacert.pem

into the same certs directory. Having cafile pointed at this worked as well. In the end I put it back to ca-certificates.crt and it still works.

I don't understand exactly why this worked or what is going on, but it is resolved.

Solution 2:

cafile key does not work for me (curl 7.45.0) but cacert (from --cacert option) does. My .curlrc file:

capath=/etc/ssl/certs/
cacert=/etc/ssl/certs/ca-certificates.crt

Solution 3:

After researching for a few times I got it to work, and the answer ended up being rather a simple one.

Open terminal ctrl+alt+t and change working directory:

 cd /etc/ssl/certs/

Download pem file in the certs folder

 sudo wget https://curl.se/ca/cacert.pem

Now open the file .curlrc

nano ~/.curlrc

Add the below lines in the open file

capath=/etc/ssl/certs/
cacert=/etc/ssl/certs/ca-certificates.crt

Now save the file and do your things using curl command.

N.B Here I used nano editor, but you can use any editor.

Related

Whats the best way of deleting files and applications [duplicate]
Issues setting up bash autocomplete for Python3 alias
Screen resolution does not properly restore when closing full-screen applications
Network interface down after every reboot in Ubuntu 15.10
How to achieve (automated) simultaneous outputs with Pipewire?
Missing Libcrypto.so.1.0.0 Library
xrandr settings make one screen extend beyond the display
Show that Function Compositions Are Associative
How to integrate $\int\frac{1}{\sqrt{1+x^3}}\mathrm dx$?
Integer matrices with integer inverses
Centre of a matrix ring are $ \operatorname{diag}\{ a, a, ..., a \} $ with $ a\in Z(R) $ [duplicate]
Proof of Extended Euclidean Algorithm?