curl: (60) SSL certificate problem: unable to get local issuer certificate

Fix curl error 60 caused by a missing or outdated CA certificate bundle when connecting to HTTPS endpoints.

curl: (60) SSL certificate problem: unable to get local issuer certificate
When curl Produces This Error
What Causes SSL Certificate Error 60 in curl
How to Fix SSL Certificate Error 60 in curl
How to Verify the Fix

curl: (60) SSL certificate problem: unable to get local issuer certificate

curl produces error 60 when it cannot verify the server's SSL certificate against the local CA certificate bundle.

When curl Produces This Error

curl displays SSL certificate problem: unable to get local issuer certificate when connecting to an HTTPS endpoint whose certificate chain cannot be validated. This occurs during the TLS handshake before any HTTP data is exchanged.

What Causes SSL Certificate Error 60 in curl

curl verifies SSL certificates against a CA bundle file (typically /etc/ssl/certs/ca-certificates.crt on Ubuntu/Debian or /etc/pki/tls/certs/ca-bundle.crt on RHEL). The error occurs when the CA bundle is missing, outdated, or when the server uses a self-signed or private CA certificate not included in the system bundle.

How to Fix SSL Certificate Error 60 in curl

Update the system CA certificates:

sudo apt update && sudo apt install --reinstall ca-certificates
sudo update-ca-certificates

If the server uses a private CA, specify the CA certificate with --cacert:
```
curl --cacert /path/to/private-ca.crt https://internal.example.com/api
```
For debugging only (never in production), skip certificate verification:
```
curl -k https://example.com
```

How to Verify the Fix

A successful request completes without error 60. Verify the certificate chain with verbose output:

curl -v https://example.com 2>&1 | grep "SSL certificate verify ok"