Curl error 77 error setting certificate verify locations

I faced exactly with the same error in my own build of libcurl 7.67.0 linked against OpenSSL 1.1.1f built with my own config opts. Every try of making HTTPS connection fails with:

* error setting certificate verify locations:
  CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* Closing connection 0
curl: (77) error setting certificate verify locations:
  CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs

The problem was in no-stdio config opt, passed to ./config of OpenSSL, when i removed it error is gone.

Steps to reproduce (if somebody interested)

Using Ubuntu 16.04.7 LTS (i guess it’s not OS dependent, but i did all tests under 16.04.7), launch the following script to build curl with specified version of OpenSSL:

#!/bin/bash
curdir=$(pwd)
mkdir -p $curdir/depends
mkdir -p $curdir/res
cd $curdir/depends

version=1.1.1f
wget -qO- http://www.openssl.org/source/openssl-$version.tar.gz | tar xzv
cd openssl-$version
export CFLAGS=-fPIC
sed -i.old "s|"engines", "apps", "test"|"engines"|" Configure

./Configure no-shared no-stdio --prefix=${curdir}/res linux-x86_64
make -j1 build_libs libcrypto.pc libssl.pc openssl.pc
make install_sw

cd $curdir/depends
version=7.67.0
wget -qO- https://curl.haxx.se/download/curl-${version}.tar.gz | tar xzv
cd curl-${version}
PKG_CONFIG_LIBDIR="${curdir}/res/lib/pkgconfig" CPPFLAGS="-I${curdir}/res/include" LDFLAGS="-L${curdir}/res/lib" ./configure --prefix=${curdir}/res
make -j$(nproc)
make install

Test binary as:

./res/curl --verbose https://api.telegram.org

You will get something like:

*   Trying 149.154.167.220:443...
* TCP_NODELAY set
* Connected to api.telegram.org (149.154.167.220) port 443 (#0)
* ALPN, offering http/1.1
* error setting certificate verify locations:
  CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* Closing connection 0
curl: (77) error setting certificate verify locations:
  CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none

Now remove no-stdio config opt from build script and also remove depends and res folders and re-build.

Result will be:

* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
...
<html>
<head><title>302 Found</title></head>
<body>
<center><h1>302 Found</h1></center>
<hr><center>nginx/1.16.1</center>
</body>
</html>
* Connection #0 to host api.telegram.org left intact

So, no-stdio conf opt of OpenSSL somehow affect on set certificate verify locations. Spent few hours to understand the root of issue.

Are you facing a curl error 77 problem with the SSL CA cert while curling an SSL website?

One of the main reasons for this error is broken or missing SSL chain certificate files on the server.

At Bobcares, we help our customers to fix similar SSL errors as part of our Server Management Services.

Today, let’s discuss the details on how to fix this error.

What is curl error 77 problem with the SSL CA cert?

Curl error 77 error is a server-side error.  This error indicated that the chain certificate files are missing or “broken”. Usually, this error happens simply by outdated SSL certificate(s) for cURL installed on the server.  Also, the wrong or incomplete configuration settings on the server can trigger the error on the website.

The error looks like,

Frequently, some website’s PHP scripts may fail with curl error 77 in Plesk servers.  Then the website shows the following error:

cURL error (77): Problem with the SSL CA cert (path? access rights?)cURL error (77): Problem with the SSL CA cert (path? access rights?)

This error occurs when PHP cURL uses an outdated set of root certificates to verify server certificates.

How to fix curl error 77 problem with the SSL CA cert

Now, let’s see how our Support Engineers fix the curl error 77  for our customers.

Curling an SSL website can result in an error curl: (77) Problem with the SSL CA cert (path? access rights?)on certain servers.

This error is the result of  SSL chain certificate files in the PKI directory being corrupted or missed.

Therefore, we make sure the files /etc/pki/tls/certs/ca-bundle.crt and /etc/pki/tls/certs/ca-bundle.trust.crt exist on the server. If they do not exist, we set up them for our customers.

Sometimes, the error gets resolve by removing and reinstalling the ca certificate.

In a CentOS server, we use the below commands to remove ca-bundle and to install a ca-certificate.

rm -f /etc/ssl/certs/ca-bundle.crt

yum reinstall -y ca-certificates

In Plesk servers, adding the following code to %plesk_dir%adminconfpanel.ini solve the error. By default,

%plesk_dir% is C:Program Files (x86)Plesk

[php]
curlCertificatesUrl="http://curl.haxx.se/ca/cacert.pem

Insufficient user permission

Sometimes the curl requests to https:// addresses stop working for cPanel users. However, the root user can still run the curl -I -v https://google.comcommand without any issue. 

The problem is due to insufficient permission of the user.  The user who is trying to accesscurl -I -v https://google.com doesn’t have enough permission to access /etc/pki directory. This due to the user only has jailed ssh access.

So, our Support Engineers fix the error by granting full access to the user.

Other common SSL certificate problem

Similarly, the error SSL certificate problem: Unable to get local issuer certificate can occur when a self-signed certificate cannot be verified or it shows that the root certificates on the system are not working correctly.

Also, It is important to note that this applies to the system sending the CURL request, and NOT the server receiving the request.

To fix the error,

1. Initially, download cacert.pem. from https://curl.haxx.se/ca/cacert.pem

2. Add the following line to php.ini:

curl.cainfo="/path/to/downloaded/cacert.pem"

Furthermore, if the server is shared hosting, add the above value to .user.ini file in the public_html folder.

3. Restart PHP

Now, CURL is able to read HTTPS URL without any error.

[Need assistance to fix curl error 77?- We’re available 24/7.]

Conclusion

In short, the curl error 77 problem with the SSL CA cert occurs when SSL chain certificate files are missing or broken. Today, we saw how our Support Engineers fixed this error.

var google_conversion_label = «owonCMyG5nEQ0aD71QM»;

I am using Ubuntu 14.04. When I use curl, I get the following error:

curl: (77) error setting certificate verify locations: CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath:

From what I gather from googling, the CAfile location it is looking for is not correct for Ubuntu (and it doesn’t exist on my computer), /etc/ssl/certs/ca-certificates.crt is the proper location.

Most of the solutions involved setting the environment variable CURL_CA_BUNDLE to the proper location, or adding cacert=/etc/ssl/certs/ca-certificates.crt to the (newly created) .curlrc file in my home directory. I have tried both, and neither completely solve the issue. curl is finding this location, but it still doesn’t work, giving the error:

curl: (60) SSL certificate problem: self signed certificate in certificate chain

I also tried uninstalling and reinstalling curl in Ubuntu, and updating my CA certs with $ sudo update-ca-certificates --fresh which updated the certs, but still didn’t make error 60 go away.

I am not that knowledgeable about CA certs, and doubt I purposely added some self signed certificate in the past. Perhaps by accident, I don’t know.

Does anyone know how to fix this? Is there a way to actually start fresh with all my certs? Or does anyone even know how I go about figuring out where this self signed certificate is, and then how to remove it?

PS: I don’t want to use the -k (aka —insecure) flag. I want to get this working securely.

The problem arises because OS X doesn’t keep its CA certs in the file system; they live in the «System Roots» keychain. You can see them with the Keychain Access app (found in your Applications/Utilities folder).

For those tools that don’t know how to talk to the keychain (like curl), you can export these certs to a folder of your choice, say /etc/ssl/certs to be consistent with most linux distros. You can either drag and drop them out of Keychain Access into a finder window, or select them and choose «Export items…» from the file menu. With drag and drop it always seems to use the binary .cer format, whereas most CLI tools want base64-encoded PEM (commonly using the .crt file extension). You can export in pem format from keychain access, but it only seems to export one cert at a time even if you have multiple certs selected. To work around this, I wrote a bash script to batch convert .cer to PEM format .crt files:

#!/bin/bash
#Convert all .cer files in this folder into PEM format .crt files
shopt -s nullglob
for f in *.cer
do
        openssl x509 -inform der -in "${f}" -outform pem -out "${f%.*}.crt"
        rm "$f"
done
chmod 444 *crt

To use it, make a folder, put this script in it (I called it cerconv.sh), drag and drop all your root CA certs into it, open a terminal in that folder and just run bash cerconv.sh.

To avoid nefarious things swapping out your CA certs, I added a line to chmod them all as read-only.

This may all be unnecessary — I certainly have no trouble with git(hub), homebrew, curl etc without having to do this, and have done for years — but at least you now know how to get the certs.

This approach is better than using -k in curl because you’re not compromising your security.

Update: I just discovered the security utility on OS X. Here’s a command that uses it to to export all certificates from your system keychain into a single .pem file that should be usable with curl:

security export -p -t certs -k `security list-keychains -d system|cut -d '"' -f 2` -o certs/certs.pem