Knowledge
curl (60) SSL certificate problem: unable to get local issuer certificate
#Errors
This curl error means it could not verify the remote server certificate against a trusted root. Usually the local CA bundle is outdated or missing, not a problem with the remote site.
Published by Mark van Eijk on June 23, 2026 · 1 minute read
- About the error
- Why do I see this error
- Solution
- Update the CA bundle (the right fix)
- Point curl at a specific CA bundle
- Diagnose with verbose output
- Do not disable verification
About the error
The message reads:
curl: (60) SSL certificate problem: unable to get local issuer certificate
curl connected over TLS but couldn't build a trust chain from the server's certificate up to a root certificate it knows. To verify a certificate, curl needs the issuing CA certificates available locally. If it can't find them, it errors out rather than trusting blindly.
Why do I see this error
- The system's CA certificate bundle is outdated or missing.
- The server doesn't send its full chain, so an intermediate certificate in the chain is absent.
- The certificate (or an intermediate) has expired.
- The machine's clock is wrong, certificates are time-sensitive, so a bad system time breaks verification.
Solution
Update the CA bundle (the right fix)
On Debian or Ubuntu:
sudo apt update
sudo apt install --reinstall ca-certificates
sudo update-ca-certificates
On RHEL, CentOS or Fedora:
sudo yum reinstall ca-certificates
sudo update-ca-trust
This refreshes the trusted roots and resolves the error in the vast majority of cases.
Point curl at a specific CA bundle
If the certificates are installed but curl still can't find them, tell it where to look:
curl --cacert /etc/ssl/certs/ca-certificates.crt https://example.com
For PHP's curl, set the path in php.ini so every request uses it:
curl.cainfo = "/etc/ssl/certs/ca-certificates.crt"
openssl.cafile = "/etc/ssl/certs/ca-certificates.crt"
Diagnose with verbose output
To see exactly where the chain breaks:
curl -v https://example.com
Do not disable verification
You'll see advice to use curl -k (or CURLOPT_SSL_VERIFYPEER = false in code). That turns off certificate verification entirely and exposes you to man-in-the-middle attacks. Fix the trust store instead. If you're chasing other curl trouble on older servers, see error in the HTTP/2 framing layer.
Subscribe to our newsletter
Do you want to receive regular updates with fresh and exclusive content to learn more about web development, hosting, security and performance? Subscribe now!