Question

Getting error 60 when using cURL against my new site

I cannot use cURL against my new site, which is causing WordPress issues. Server is Ubuntu 18.04. Certificate came from CloudFlare and I get an A+ on SSLLabs. It is installed and functional in the web server. I downloaded the latest curl-cacert.pem and verified the file integrity with shasum.

Using cURL on a Ubuntu 16.04 server (at another provider) works fine.

The error message suggests checking https://curl.haxx.se/docs/sslcerts.html but I did not find my answer there. They suggested the --cacert flag but that makes no difference.

I already have installed the ca-certificates package and it is the latest version.

strace suggests some missing certificate files but I’m not sure how to rectify that. I tried symlinking various files into the place of the missing file but no gold.

What should I try next?

root@web01:~# curl https://securecoop.com/
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
root@web01:~# cd /etc/ssl/certs/; wget https://curl.haxx.se/ca/cacert.pem.sha256; shasum -c cacert.pem.sha256; rm -f cacert.pem.sha256; cd
--2019-04-04 05:15:49--  https://curl.haxx.se/ca/cacert.pem.sha256
Resolving curl.haxx.se (curl.haxx.se)... 151.101.22.49, 2a04:4e42:5::561
Connecting to curl.haxx.se (curl.haxx.se)|151.101.22.49|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 77 [application/x-pem-file]
Saving to: ‘cacert.pem.sha256’

cacert.pem.sha256                                              100%[=================================================================================================================================================>]      77  --.-KB/s    in 0s

2019-04-04 05:15:49 (6.35 MB/s) - ‘cacert.pem.sha256’ saved [77/77]

cacert.pem: OK
root@web01:~# curl --cacert /etc/ssl/certs/curl.cacert.pem https://securecoop.com/
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
root@web01:~# curl --cacert /etc/ssl/certs/ca-certificates.crt https://securecoop.com/
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
root@web01:~# curl --cacert /etc/ssl/certs/securecoop.com.pem https://securecoop.com/
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
root@web01:~# apt-get install ca-certificates
Reading package lists... Done
Building dependency tree
Reading state information... Done
ca-certificates is already the newest version (20180409).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
root@web01:~# strace -o curl.log curl https://securecoop.com/
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
root@web01:~# grep "No such file" curl.log | grep "/etc/ssl/"
stat("/etc/ssl/certs/d947dbd7.0", 0x7ffd70bfeff0) = -1 ENOENT (No such file or directory)
stat("/etc/ssl/certs/d947dbd7.0", 0x7ffd70bfeff0) = -1 ENOENT (No such file or directory)
root@web01:~# ln -s /etc/ssl/certs/securecoop.com.pem /etc/ssl/certs/d947dbd7.0
root@web01:~# curl https://securecoop.com/
curl: (35) error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert already in hash table
root@web01:~# rm -f /etc/ssl/certs/d947dbd7.0
root@web01:~# ln -s /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/d947dbd7.0
root@web01:~# curl https://securecoop.com/
curl: (35) error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert already in hash table
root@web01:~# rm -f /etc/ssl/certs/d947dbd7.0
root@web01:~# ln -s /etc/ssl/certs/curl.cacert.pem /etc/ssl/certs/d947dbd7.0
root@web01:~# curl https://securecoop.com/
curl: (35) error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert already in hash table
root@web01:~# rm -f /etc/ssl/certs/d947dbd7.0
root@web01:~#
Show comments

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

My misconfiguration. I had placed the IP of my server in /etc/hosts as the domain name; but I was using CloudFlare and cURL was confused by the IP. Commented out this in /etc/hosts and all is well.

#1.2.3.4 securecoop.com

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

This comment has been deleted