cURL and self signed certificates on FreeBSD 13


cURL cannot verify the remote server's certificate, e.g. because it is self signed or signed by an unknown CA:

$ curl https://my.webserver.internal/
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here:

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Insecure solution

$ curl -k https://my.webserver.internal/

Secure suggestion

  1. Recompile cURL without the CA_BUNDLE option:
    # make -C /usr/ports/ftp/curl config
    # make -C /usr/ports/ftp/curl
    # make -C /usr/ports/ftp/curl deinstall reinstall clean
  2. Place your CA's root certificate to /usr/local/share/certs. Make sure its filename ends with .pem.
  3. Rehash /etc/ssl/certs with certctl:
    # certctl -v rehash


If cURL has been compiled with CA_BUNDLE set, it verifies any remote server against /usr/local/share/certs/ca-root-nss.crt only.