Skip to content
Latchkey

curl "(60) SSL certificate problem: unable to get local issuer certificate" in CI

curl completed the TCP connection and started a TLS handshake, but it could not chain the server certificate up to a trusted root in the runner's CA bundle. The handshake is aborted before any bytes transfer. The usual cause on a CI runner is a missing or stale ca-certificates package, or a corporate proxy that re-signs TLS with a CA the runner does not trust.

What this error means

A curl step fails with "curl: (60) SSL certificate problem: unable to get local issuer certificate" and exits non-zero. HTTP over plain port 80 still works; only HTTPS fails.

Terminal
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it.

Common causes

The runner has no CA bundle or a stale one

A slim container image ships without the ca-certificates package, or with an outdated bundle, so curl has no trusted root to chain the server certificate to.

A TLS-inspecting proxy re-signs traffic with an untrusted CA

A corporate MITM proxy presents a certificate signed by an internal CA. That CA is not in the runner store, so curl cannot find the local issuer.

How to fix it

Install and refresh the CA bundle on the runner

  1. Install the ca-certificates package in a setup step before the curl call.
  2. Run update-ca-certificates so curl can chain to a trusted root.
  3. Re-run the request to confirm the handshake now completes.
Terminal
sudo apt-get update && sudo apt-get install -y ca-certificates
sudo update-ca-certificates

Trust the corporate proxy CA explicitly

Add the proxy root certificate to the system store, or point curl at it with --cacert, so the re-signed chain validates.

Terminal
# add the proxy root to the trust store
sudo cp corp-root-ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
# or point curl directly at the bundle
curl --cacert /etc/ssl/certs/ca-certificates.crt https://example.com

How to prevent it

  • Bake ca-certificates into custom runner images and keep it current.
  • Install the corporate proxy CA into the system trust store, not per-command flags.
  • Prefer trusting the CA over curl -k, which only masks the verification failure.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →