Knowledge

curl (60) SSL certificate problem: unable to get local issuer certificate

#Errors

This curl error means it could not verify the remote server certificate against a trusted root. Usually the local CA bundle is outdated or missing, not a problem with the remote site.

Published by Mark van Eijk on June 23, 2026 · 1 minute read

  1. About the error
  2. Why do I see this error
  3. Solution
  4. Update the CA bundle (the right fix)
  5. Point curl at a specific CA bundle
  6. Diagnose with verbose output
  7. Do not disable verification

About the error

The message reads:

curl: (60) SSL certificate problem: unable to get local issuer certificate

curl connected over TLS but couldn't build a trust chain from the server's certificate up to a root certificate it knows. To verify a certificate, curl needs the issuing CA certificates available locally. If it can't find them, it errors out rather than trusting blindly.

Why do I see this error

  • The system's CA certificate bundle is outdated or missing.
  • The server doesn't send its full chain, so an intermediate certificate is absent.
  • The certificate (or an intermediate) has expired.
  • The machine's clock is wrong, certificates are time-sensitive, so a bad system time breaks verification.

Solution

Update the CA bundle (the right fix)

On Debian or Ubuntu:

sudo apt update
sudo apt install --reinstall ca-certificates
sudo update-ca-certificates

On RHEL, CentOS or Fedora:

sudo yum reinstall ca-certificates
sudo update-ca-trust

This refreshes the trusted roots and resolves the error in the vast majority of cases.

Point curl at a specific CA bundle

If the certificates are installed but curl still can't find them, tell it where to look:

curl --cacert /etc/ssl/certs/ca-certificates.crt https://example.com

For PHP's curl, set the path in php.ini so every request uses it:

curl.cainfo = "/etc/ssl/certs/ca-certificates.crt"
openssl.cafile = "/etc/ssl/certs/ca-certificates.crt"

Diagnose with verbose output

To see exactly where the chain breaks:

curl -v https://example.com

Do not disable verification

You'll see advice to use curl -k (or CURLOPT_SSL_VERIFYPEER = false in code). That turns off certificate verification entirely and exposes you to man-in-the-middle attacks. Fix the trust store instead. If you're chasing other curl trouble on older servers, see error in the HTTP/2 framing layer.

Subscribe to our newsletter

Do you want to receive regular updates with fresh and exclusive content to learn more about web development, hosting, security and performance? Subscribe now!

Related articles

Error in the HTTP2 framing layer

This curl error means it could not verify the remote server certificate against a trusted root. Usually the local CA bundle is outdated or missing, not a problem with the remote site.

Read more →

413 Request Entity Too Large in nginx

This curl error means it could not verify the remote server certificate against a trusted root. Usually the local CA bundle is outdated or missing, not a problem with the remote site.

Read more →