How do I deal with certificates using cURL while trying to access an HTTPS url?

Question

I also had the newest version of ca-certificates installed but was still getting the error:

curl: (77) error setting certificate verify locations:
  CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none

The issue was that curl expected the certificate to be at the path /etc/pki/tls/certs/ca-bundle.crt but could not find it because it was at the path /etc/ssl/certs/ca-certificates.crt.

Copying my certificate to the expected destination by running

sudo cp /etc/ssl/certs/ca-certificates.crt /etc/pki/tls/certs/ca-bundle.crt

worked for me. You will need to create folders for the target destination if they do not exist by running

sudo mkdir -p /etc/pki/tls/certs

If needed, modify the above command to make the destination file name match the path expected by curl, i.e. replace /etc/pki/tls/certs/ca-bundle.crt with the path following "CAfile:" in your error message.

This error is related to a missing package: ca-certificates. Install it.

In Ubuntu Linux (and similar distro):

# apt-get install ca-certificates

In CygWin via Apt-Cyg

# apt-cyg install ca-certificates

In Arch Linux (Raspberry Pi)

# pacman -S ca-certificates

---

The documentation tells:

This package includes PEM files of CA certificates to allow SSL-based applications to check for the authenticity of SSL connections.

As seen at: Debian -- Details of package ca-certificates in squeeze

Put this into your .bashrc

# fix CURL certificates path
export CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt

(see comment from Robert)

Create a file ~/.curlrc with the following content

cacert=/etc/ssl/certs/ca-certificates.crt

as follows

echo "cacert=/etc/ssl/certs/ca-certificates.crt" >> ~/.curlrc

The quickest way to get around the error is add on the -k option somewhere in your curl request. That option "allows connections to SSL cites without certs." (from curl --help)

Be aware that this may mean that you're not talking to the endpoint you think you are, as they are presenting a certificate not signed by a CA you trust.

For example:

$ curl -o /usr/bin/apt-cyg https://raw.github.com/cfg/apt-cyg/master/apt-cyg

gave me the following error response:

curl: (77) error setting certificate verify locations:
  CAfile: /usr/ssl/certs/ca-bundle.crt
  CApath: none

I added on -k:

curl -o /usr/bin/apt-cyg https://raw.github.com/cfg/apt-cyg/master/apt-cyg -k

and no error message. As a bonus, now I have apt-cyg installed. And ca-certificates.

From $ man curl:

--cert-type <type>
    (SSL) Tells curl what certificate type the provided  certificate
    is in. PEM, DER and ENG are recognized types.  If not specified,
    PEM is assumed.

    If this option is used several times, the last one will be used.

--cacert <CA certificate>
    (SSL) Tells curl to use the specified certificate file to verify
    the peer. The file may contain  multiple  CA  certificates.  The
    certificate(s)  must be in PEM format. Normally curl is built to
    use a default file for this, so this option is typically used to
    alter that default file.

@roens is correct. This affects all Anaconda users, with below error
curl: (77) error setting certificate verify locations: CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none

The workaround is to use the default system curl and avoid messing with the prepended Anaconda PATH variable. You can either

1. Rename the Anaconda curl binary :)
   mv /path/to/anaconda/bin/curl /path/to/anaconda/bin/curl_anaconda

2. OR remove Anaconda curl
   conda remove curl

$ which curl /usr/bin/curl

[0] Anaconda Ubuntu curl Github issue https://github.com/conda/conda-recipes/issues/352