DEV Community

Teresa N. Fontanella De Santis
Teresa N. Fontanella De Santis

Posted on • Edited on

Curl issue: SSL certificate problem: certificate has expired

In the following article we'll cover a common certificate issue faced with cURL application. curl is a command line client URL, which provides us the response of a given request for any HTTP(S) method. After this introduction, let's go deep into our issue...

Issue

When trying to execute a curl command to a specific site, like curl https://airlabs.co/api/v9/ping.json it is giving the following error:

“curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.”

The same url is working fine on any browser, and we have the openssl library installed on our server,

Root cause explanation

CURL certificate stored on the server has expired. So we need to obtain the updated certificate for the site and replace it in the certificates’ system folder.

Resolution steps

  1. First make sure you have wget installed on your server.
    You can install it on Mac using brew install wget.
    For Ubuntu, you can use apt install wget.
    For CentOS/RHEL, you can use yum install wget.

  2. Download the updated curl’s SSL certificate (from site curl.se), doing: wget https://curl.se/ca/cacert.pem
    The certificate will be downloaded as cacert.pem file. Then, you can execute the curl command with the flag --cacert <path_to_cacert.pem_file>.
    For example: curl --cacert ./cacert.pem https://airlabs.co/api/v9/ping.json
    If the certificate file is a valid one, the error should have disappeared. As we don’t want to add the --cacert flag for every curl command, we’ll go to the next step.

  3. Replace the updated certificate on the certificates’ system folder. To get the folder path, execute the openssl version -a on your terminal. You’ll see something similar to this (it may vary according to the OS configuration).
    Image description
    The OPENSSLDIR folder is the folder where the certificates are stored by default; so copy it to the clipboard.

    Then, copy (or move) the certificate into that folder. In our example, it can be:
    cp cacert.pem <OPENSSL_DIR>

After that, if we execute our curl command again, it will work as expected!

Top comments (0)