Question

Getting error 60 when using cURL against my new site

I cannot use cURL against my new site, which is causing WordPress issues. Server is Ubuntu 18.04. Certificate came from CloudFlare and I get an A+ on SSLLabs. It is installed and functional in the web server. I downloaded the latest curl-cacert.pem and verified the file integrity with shasum.

Using cURL on a Ubuntu 16.04 server (at another provider) works fine.

The error message suggests checking https://curl.haxx.se/docs/sslcerts.html but I did not find my answer there. They suggested the --cacert flag but that makes no difference.

I already have installed the ca-certificates package and it is the latest version.

strace suggests some missing certificate files but I’m not sure how to rectify that. I tried symlinking various files into the place of the missing file but no gold.

What should I try next?

root@web01:~# curl https://securecoop.com/
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
root@web01:~# cd /etc/ssl/certs/; wget https://curl.haxx.se/ca/cacert.pem.sha256; shasum -c cacert.pem.sha256; rm -f cacert.pem.sha256; cd
--2019-04-04 05:15:49--  https://curl.haxx.se/ca/cacert.pem.sha256
Resolving curl.haxx.se (curl.haxx.se)... 151.101.22.49, 2a04:4e42:5::561
Connecting to curl.haxx.se (curl.haxx.se)|151.101.22.49|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 77 [application/x-pem-file]
Saving to: ‘cacert.pem.sha256’

cacert.pem.sha256                                              100%[=================================================================================================================================================>]      77  --.-KB/s    in 0s

2019-04-04 05:15:49 (6.35 MB/s) - ‘cacert.pem.sha256’ saved [77/77]

cacert.pem: OK
root@web01:~# curl --cacert /etc/ssl/certs/curl.cacert.pem https://securecoop.com/
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
root@web01:~# curl --cacert /etc/ssl/certs/ca-certificates.crt https://securecoop.com/
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
root@web01:~# curl --cacert /etc/ssl/certs/securecoop.com.pem https://securecoop.com/
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
root@web01:~# apt-get install ca-certificates
Reading package lists... Done
Building dependency tree
Reading state information... Done
ca-certificates is already the newest version (20180409).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
root@web01:~# strace -o curl.log curl https://securecoop.com/
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
root@web01:~# grep "No such file" curl.log | grep "/etc/ssl/"
stat("/etc/ssl/certs/d947dbd7.0", 0x7ffd70bfeff0) = -1 ENOENT (No such file or directory)
stat("/etc/ssl/certs/d947dbd7.0", 0x7ffd70bfeff0) = -1 ENOENT (No such file or directory)
root@web01:~# ln -s /etc/ssl/certs/securecoop.com.pem /etc/ssl/certs/d947dbd7.0
root@web01:~# curl https://securecoop.com/
curl: (35) error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert already in hash table
root@web01:~# rm -f /etc/ssl/certs/d947dbd7.0
root@web01:~# ln -s /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/d947dbd7.0
root@web01:~# curl https://securecoop.com/
curl: (35) error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert already in hash table
root@web01:~# rm -f /etc/ssl/certs/d947dbd7.0
root@web01:~# ln -s /etc/ssl/certs/curl.cacert.pem /etc/ssl/certs/d947dbd7.0
root@web01:~# curl https://securecoop.com/
curl: (35) error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert already in hash table
root@web01:~# rm -f /etc/ssl/certs/d947dbd7.0
root@web01:~#
Show comments

Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

My misconfiguration. I had placed the IP of my server in /etc/hosts as the domain name; but I was using CloudFlare and cURL was confused by the IP. Commented out this in /etc/hosts and all is well.

#1.2.3.4 securecoop.com

This comment has been deleted

    Try DigitalOcean for free

    Click below to sign up and get $200 of credit to try our products over 60 days!

    Sign up

    Get our biweekly newsletter

    Sign up for Infrastructure as a Newsletter.

    Hollie's Hub for Good

    Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.

    Become a contributor

    Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

    Welcome to the developer cloud

    DigitalOcean makes it simple to launch in the cloud and scale up as you grow — whether you're running one virtual machine or ten thousand.

    Learn more
    DigitalOcean Cloud Control Panel