curl "(60) SSL certificate problem: unable to get local issuer certificate" in CI
curl completed the TCP connection and started a TLS handshake, but it could not chain the server certificate up to a trusted root in the runner's CA bundle. The handshake is aborted before any bytes transfer. The usual cause on a CI runner is a missing or stale ca-certificates package, or a corporate proxy that re-signs TLS with a CA the runner does not trust.
What this error means
A curl step fails with "curl: (60) SSL certificate problem: unable to get local issuer certificate" and exits non-zero. HTTP over plain port 80 still works; only HTTPS fails.
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it.Common causes
The runner has no CA bundle or a stale one
A slim container image ships without the ca-certificates package, or with an outdated bundle, so curl has no trusted root to chain the server certificate to.
A TLS-inspecting proxy re-signs traffic with an untrusted CA
A corporate MITM proxy presents a certificate signed by an internal CA. That CA is not in the runner store, so curl cannot find the local issuer.
How to fix it
Install and refresh the CA bundle on the runner
- Install the
ca-certificatespackage in a setup step before the curl call. - Run
update-ca-certificatesso curl can chain to a trusted root. - Re-run the request to confirm the handshake now completes.
sudo apt-get update && sudo apt-get install -y ca-certificates
sudo update-ca-certificatesTrust the corporate proxy CA explicitly
Add the proxy root certificate to the system store, or point curl at it with --cacert, so the re-signed chain validates.
# add the proxy root to the trust store
sudo cp corp-root-ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
# or point curl directly at the bundle
curl --cacert /etc/ssl/certs/ca-certificates.crt https://example.comHow to prevent it
- Bake
ca-certificatesinto custom runner images and keep it current. - Install the corporate proxy CA into the system trust store, not per-command flags.
- Prefer trusting the CA over
curl -k, which only masks the verification failure.