Back to blog

How to Fix curl SSL Certificate Problem Self Signed Certificate Chain

When executing curl commands to download files, contact APIs, or trigger shell scripts over HTTPS, you may encounter an SSL verification failure:

curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it.

This error blocks your connection. It means curl refused to send data because the target server presented a security certificate that is not validated by your system's trusted certificate authorities.

In this guide, we will analyze why SSL handshake errors happen inside curl, run temporary insecure bypasses, and update local Certificate Authority (CA) files.

The Cause: Unverified Certificate Authority Chains

When curl makes an HTTPS request, it establishes a secure TLS handshake. To prevent man-in-the-middle (MITM) hijacking attacks, curl verifies the server's certificate against a local store of trusted root certificates (CA bundle).

The verification fails in three scenarios:

  1. Self-Signed Certificates: The server uses a certificate it generated itself rather than one signed by a trusted public authority (like Let's Encrypt or DigiCert).
  2. Outdated Local CA Bundle: Your operating system's local certificate authority index is outdated and does not recognize the server's signature.
  3. Corporate Network Decryption: Corporate firewalls or proxy gateways decrypt and re-encrypt traffic using a self-signed company certificate to inspect packets.

Solution 1: Bypass SSL Verification (Insecure Temp Fix)

If you are developing inside a secure local network and need to bypass the warning quickly, tell curl to ignore SSL certificate validation using the -k (or --insecure) flag:

# Force curl to download the resource, skipping SSL checks
curl -k https://example.com/api/data

# Or using the long option:
curl --insecure https://example.com/api/data
  • Security Warning: Bypassing SSL validation means curl does not verify the identity of the host. Never use this flag in production shell scripts or over public Wi-Fi hotspots, as it makes your application vulnerable to data interception.

Solution 2: Update Your System's CA Certificates

The most secure long-term fix is updating your operating system's CA certificates directory. This ensures your system recognizes modern public certification authorities.

Run the update command for your operating system:

  • Ubuntu / Debian:
sudo apt-get update
sudo apt-get install --reinstall ca-certificates
  • CentOS / RHEL:
sudo yum update
sudo yum reinstall ca-certificates
  • macOS: Update your system's keychain via Homebrew:
brew postinstall openssl

Solution 3: Pass a Custom CA Certificate File

If you must connect to an internal company server that uses a valid self-signed certificate, you can download the company's Root CA certificate (e.g., company-ca.crt) and instruct curl to trust it specifically.

Use the --cacert flag to declare the certificate file path:

# Tell curl to trust your custom certificate file during this request
curl --cacert /path/to/company-ca.crt https://example.com/api/data

This establishes a secure, validated connection without turning off SSL verification globally.

Conclusion

The curl (60) SSL certificate problem occurs when curl fails to validate a server's security credentials. To resolve this error, append the -k or --insecure flag to bypass verification during local testing, refresh your operating system's CA certificate packages to restore global public trust, or use the --cacert parameter to feed your custom certificate files to curl securely.