Curl issue: SSL certificate problem: certificate has expired
In the following article we'll cover a common certificate issue faced with cURL application. curl
is a command line client URL, which provides us the response of a given request for any HTTP(S) method. After this introduction, let's go deep into our issue...
Issue
When trying to execute a curl command to a specific site, like curl https://airlabs.co/api/v9/ping.json
it is giving the following error:
“curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.”
The same url is working fine on any browser, and we have the openssl
library installed on our server,
Root cause explanation
CURL certificate stored on the server has expired. So we need to obtain the updated certificate for the site and replace it in the certificates’ system folder.
Resolution steps
First make sure you have wget installed on your server.
You can install it on Mac usingbrew install wget
.
For Ubuntu, you can useapt install wget
.
For CentOS/RHEL, you can useyum install wget
.Download the updated curl’s SSL certificate (from site curl.se), doing:
wget https://curl.se/ca/cacert.pem
The certificate will be downloaded as cacert.pem file. Then, you can execute the curl command with the flag--cacert <path_to_cacert.pem_file>
.
For example:curl --cacert ./cacert.pem https://airlabs.co/api/v9/ping.json
If the certificate file is a valid one, the error should have disappeared. As we don’t want to add the--cacert
flag for every curl command, we’ll go to the next step.Replace the updated certificate on the certificates’ system folder. To get the folder path, execute the openssl version -a on your terminal. You’ll see something similar to this (it may vary according to the OS configuration).
The OPENSSLDIR folder is the folder where the certificates are stored by default; so copy it to the clipboard.
Then, copy (or move) the certificate into that folder. In our example, it can be:
cp cacert.pem <OPENSSL_DIR>
After that, if we execute our curl command again, it will work as expected!