Using the ca-bundle to prevent certificate errors in curl
When you first download and install curl and you try to request something over https
, it's likely that you will get an error along these lines:
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
You might think that you can bypass this with the --insecure
or -k
option, but this is insecure as it means that curl isn't checking the identity of the remote server before downloading the the file in question, leaving you open to a man in the middle attack. The solution: Point curl at a bundle of root certificates that it can use to verify a server's identity.
Since curl doesn't pay attention to the certificate store on windows, we have to provide it with a file that contains these root certificates instead. This can be done by running a script provided by the curl develoeprs that automatically downloads the certificates from Mozilla Firefox's source code and compiles them into a format the curl can understand.
Here's a direct link to the script: mk-ca-bundle.pl
Simply download and run that script, and it will generate a file called ca-bundle.crt
in the current directory. Rename it to curl-ca-bundle.crt
, and copy it to the directory that you installed curl to. Curl will find it when you next request something over https
.
Alternatively, you can set the CURL_CA_BUNDLE
environment variable to the full path to the ca-bundle.crt
file. If you can't copy it to the folder that you installed curl to.
If you can't run the above script, then you can download a ready-made version from this website. My server will update it automatically at 1am UK time every Saturday.
Here's a link: ca-bundle.crt