How to fix curl: (60) SSL certificate: Invalid certificate chain

macos node.js curl ssl npm

181,088

Solution 1

Using the Safari browser (not Chrome, Firefox or Opera) on Mac OS X 10.9 (Mavericks) visit https://registry.npmjs.org

Screenshot of Safari showing certificate error

Click the Show certificate button and then check the checkbox labelled Always trust. Then click Continue and enter your password if required.

Always trust checkbox

Curl should now work with that URL correctly.

Solution 2

First off, you should be wary of urls that throw SSL errors. That being said, you can suppress certificate errors in curl with

curl -k https://insecure.url/content-i-really-really-trust

Solution 3

NOTE: This answer obviously defeats the purpose of SSL and should be used sparingly as a last resort.

For those having issues with scripts that download scripts that download scripts and want a quick fix, create a file called ~/.curlrc

With the contents

--insecure

This will cause curl to ignore SSL certificate problems by default.

Make sure you delete the file when done.

UPDATE

12 days later I got notified of an upvote on this answer, which made me go "Hmmm, did I follow my own advice remember to delete that .curlrc?", and discovered I hadn't. So that really underscores how easy it is to leave your curl insecure by following this method.

Solution 4

The problem is an expired intermediate certificate that is no longer used and must be deleted. Here is a blog post from Digicert explaining the issue and how to resolve it.

https://blog.digicert.com/expired-intermediate-certificate/

I was seeing the issue with Github not loading via SSL in both Safari and the command line with git pull. Once I deleted the old expired cert everything was fine.

Solution 5

After updating to OS X 10.9.2, I started having invalid SSL certificate issues with Homebrew, Textmate, RVM, and Github.

When I initiate a brew update, I was getting the following error:

fatal: unable to access 'https://github.com/Homebrew/homebrew/': SSL certificate problem: Invalid certificate chain
Error: Failure while executing: git pull -q origin refs/heads/master:refs/remotes/origin/master

I was able to alleviate some of the issue by just disabling the SSL verification in Git. From the console (a.k.a. shell or terminal):

git config --global http.sslVerify false

I am leary to recommend this because it defeats the purpose of SSL, but it is the only advice I've found that works in a pinch.

I tried rvm osx-ssl-certs update all which stated Already are up to date.

In Safari, I visited https://github.com and attempted to set the certificate manually, but Safari did not present the options to trust the certificate.

Ultimately, I had to Reset Safari (Safari->Reset Safari... menu). Then afterward visit github.com and select the certificate, and "Always trust" This feels wrong and deletes the history and stored passwords, but it resolved my SSL verification issues. A bittersweet victory.

View more solutions

181,088

Author by

leafiy

Updated on July 05, 2022

Comments

leafiy almost 2 years

I get the following error running curl https://npmjs.org/install.sh | sh on Mac OSX 10.9 (Mavericks):

install npm@latest
curl: (60) SSL certificate problem: Invalid certificate chain
More details here: http://curl.haxx.se/docs/sslcerts.html

How do I fix this?

Lewis Buckley over 10 years

Sure. Looks like the certificate is valid for npmjs.org but not the subdomain registry.npmjs.org. If you look at the source of install.sh it attempts to use curl to then download from registry.npmjs.org. So you need to visit registry.npmjs.org rather than npmjs.org to trigger the certificate error, where you can then choose to trust the certificate.
mmmeff over 10 years

I was unable to run "curl npmjs.org/install.sh | sh" until I did this. You're a life-saver!
djneely about 10 years

Setting the git config --global http.sslVerify false helped me with our self-signed certificate as I didn't have a chain file.
wizonesolutions about 10 years

This answer is a better solution, in my opinion: superuser.com/questions/721778/…. Remove DigiCert root certificates from the Login keychain.
Maverick about 10 years

I've tried this on Mavericks and removing the DigiCert High Assurance EV Root CA certificate & reseting safari did fix my issue.
Huckphin about 10 years

I had this problem with the Github certificate, and this worked for it as well. I have been having problems since Github replaced their certificate due to the #heartbleed exploit.
tomo almost 10 years

+1 because this was exactly my issue. The root was definitely trusted, but I had two copies of "DigiCert High Assurance EV Root CA" somehow.
jefflunt over 9 years

rvm osx-ssl-certs update all fixed it for me. Thanks!
Tony Giaccone over 9 years

Can you explain exactly what Safari did when you clicked that button? I assume the remove certificate was copied someplace locally, but did it go to the java cacert, or to your keychain, or some other file? Knowing you can fix it is good, but knowing what happens is even better.
Lewis Buckley over 9 years

Safari uses keychain so I presume trusting the certificate adds it to the list of trusted certificates system-wide, which also allows curl to work with the same certificate. This could be verified by checking Keychain Access after trusting the certificate in Safari.
SuperUberDuper about 9 years

how do you reverse: git config --global http.sslVerify false
Dida over 8 years

In addition to adding intermediate certificates and removing the expired ones, I also need to remove certificates were signed by unknown authority. These can be found in "Logins" Keychains. They use the same icon with non-expired certificates. So you need to highlight one by one (see picture). These certs were added when you click "Continue" to a browser warning.
pronebird over 7 years

There is no such option as Reset Safari anymore
Tharusha over 5 years

This is the most logical answer ("Use -k after culr command") Thankx @Steen.
TheTechRobo Stands for Ukraine almost 4 years

Problem was, I wasn't sure where it was being run (I was installing craft) so I had to go Lewis Buckley's way
Carson about 3 years

-k or --insecure Allow insecure server connections when using SSL
pathfinder over 2 years

This!!!! Yes, I am running an older MacOS (Mojave) and replacing this cert was the exact fix!!! Thank you so much. This problem is different than the others because it worked everywhere else except the command line and all my certs were valid in my keychain and it worked fine on other computers even on command line.
T'East over 2 years

you save my day! thanks
Mark Bower over 2 years

This reminds me of the "xkcd" cartoon about "sudo": xkcd.com/149. ALL of my attempts at using using curl ALWAYS resulted in errors! Because of this post, I now add "-k". Everything works. Thanks.
joachim about 2 years

That says '==> Searching taps on GitHub... Error: No formulae found in taps.'
Constantine Kurbatov about 2 years

Weird. Just checked in Catalina, worked as well. What mac version?
joachim about 2 years

10.14.6. I've updated homebrew now and it's working!