How to fix curl throwing "error setting certificate verify locations"

I'm a web developer and I have a MacBook4,1 with OS X 10.5.8. Important stuff like GitHub, homebrew, ruby and python doesn't work correctly, because curl doesn't work. It seems that the SSL certificates are outdated.

I get this error every time:

curl: (77) error setting certificate verify locations:
  CAfile: /usr/share/curl/curl-ca-bundle.crt
  CApath: none

What can I do to fix this?


That error doesn't explicitly say that the certificates are outdated does it? It looks to me like it is complaining that the certs are not where they are supposed to be (or potentially they can't be read).

Found this on google:

http://curl.haxx.se/mail/curlphp-2005-11/0038.html

To summarize the poster suggests either using the -k flag with curl to suppress this error (this is obviously less secure) or make sure that what ever process is calling curl has execute access to all directories on the path to the certificates.


The problem arises because OS X doesn't keep its CA certs in the file system; they live in the "System Roots" keychain. You can see them with the Keychain Access app (found in your Applications/Utilities folder).

For those tools that don't know how to talk to the keychain (like curl), you can export these certs to a folder of your choice, say /etc/ssl/certs to be consistent with most linux distros. You can either drag and drop them out of Keychain Access into a finder window, or select them and choose "Export items..." from the file menu. With drag and drop it always seems to use the binary .cer format, whereas most CLI tools want base64-encoded PEM (commonly using the .crt file extension). You can export in pem format from keychain access, but it only seems to export one cert at a time even if you have multiple certs selected. To work around this, I wrote a bash script to batch convert .cer to PEM format .crt files:

#!/bin/bash
#Convert all .cer files in this folder into PEM format .crt files
shopt -s nullglob
for f in *.cer
do
        openssl x509 -inform der -in "${f}" -outform pem -out "${f%.*}.crt"
        rm "$f"
done
chmod 444 *crt

To use it, make a folder, put this script in it (I called it cerconv.sh), drag and drop all your root CA certs into it, open a terminal in that folder and just run bash cerconv.sh.

To avoid nefarious things swapping out your CA certs, I added a line to chmod them all as read-only.

This may all be unnecessary - I certainly have no trouble with git(hub), homebrew, curl etc without having to do this, and have done for years - but at least you now know how to get the certs.

This approach is better than using -k in curl because you're not compromising your security.

Update: I just discovered the security utility on OS X. Here's a command that uses it to to export all certificates from your system keychain into a single .pem file that should be usable with curl:

security export -p -t certs -k `security list-keychains -d system|cut -d '"' -f 2` -o certs/certs.pem