curl/OpenSSL "unable to get local issuer certificate" in CI
The server sent its certificate, but the client cannot find the issuing CA to complete the chain to a trusted root. This is a missing or incomplete CA bundle on the runner, or a server that did not send its intermediate certificate.
What this error means
curl fails with "SSL certificate problem: unable to get local issuer certificate" (exit 60). OpenSSL prints "verify error:num=20:unable to get local issuer certificate".
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.htmlCommon causes
The runner has no or a stale CA bundle
A slim image without ca-certificates, or an outdated bundle, has no issuer to validate against, so the chain cannot be built.
The server omits its intermediate certificate
If the server only sends the leaf and not the intermediate, the client cannot bridge to the root without the missing CA locally.
How to fix it
Install and refresh the CA bundle
Provide an up-to-date trust store on the runner so the issuer chain resolves.
apt-get update && apt-get install -y ca-certificates
update-ca-certificatesPoint the client at an explicit CA file
When a proxy or internal CA is involved, pass the correct bundle rather than skipping verification.
curl --cacert /etc/ssl/certs/corp-ca-bundle.pem https://internal.example.com/How to prevent it
- Include
ca-certificatesin custom runner images and keep it current. - Verify servers serve the full chain including intermediates.
- Standardize on one CA bundle path across curl, git, and language runtimes.