Introduction
There is nothing quite like the specific frustration of trying to run a simple package update, only to be blocked by a wall of SSL errors. You know the one: SSL certificate problem: unable to get local issuer certificate.
Suddenly, your quick update turns into a two-hour deep dive into OpenSSL documentation.
If you are seeing Error 60 when using curl or having trouble accessing package updates because your system doesnโt trust a self-signed or custom certificate, you arenโt alone. This usually happens because your certificate (or its Certificate Authority) isn’t sitting in your system’s “VIP list”โthe trusted CA store.
In this guide, we will cover how to install a custom SSL certificate on Ubuntu properly, so tools like curl and apt stop complaining and start working.
The Prerequisites: File Formats Matter
Before we throw commands into the terminal, we need to ensure your certificate is dressed for the occasion.
Ubuntu’s update tools are a bit particular. To successfully import your certificate:
- Format: It must be a PEM format file.
- Extension: It must have a
.crtextension.
If your file is currently a .pem, simply rename it to .crt for this process. If itโs in a different format (like DER or PFX), you will need to convert it using OpenSSL first.
Step-by-Step: How to Install a Custom SSL Certificate on Ubuntu
(Placeholder: Insert Image of Ubuntu file directory structure or terminal window)
Once your .crt file is ready, the installation process is actually quite straightforward. We aren’t just “installing” it; we are adding it to the global trust store so that all applications (including curl) can find it.
1. Copy the Certificate
First, we need to move your certificate file into the directory where Ubuntu looks for local user certificates.
Run the following command (replace your-cert.crt with your actual filename):
sudo cp your-cert.crt /usr/local/share/ca-certificates/
2. Update the CA Store
Moving the file isn’t enough; we need to tell the system to register it. We do this by refreshing the list of SSL certificates.
Run:
sudo update-ca-certificates --fresh
What just happened?
This command scans the /usr/local/share/ca-certificates/ directory, finds your .crt file, and adds it to the system’s master bundleโusually located at /etc/ssl/certs/ca-certificates.crt. You should see output indicating that 1 certificate was added.
Note: Using the
--freshflag effectively resets the directory, ensuring no stale links are left behind.
The “Trust” Test: Verifying Your Installation
Did it actually work? Before you go back to your package updates, letโs verify that your custom certificate is sitting happily in the master file.
You can search the bundle using grep:
grep 'Your Certificate Subject or Issuer' /etc/ssl/certs/ca-certificates.crt
If you see your certificate’s name returned in the output, congratulations! Your system now officially trusts your custom SSL.
[Link to our related post on Advanced Linux Server Hardening]
Troubleshooting Curl: When the Internet Still Says “No”
Sometimes, even after youโve done everything right, curl decides to be rebellious. You might still see the dreaded “unable to get local issuer certificate” error.
Here is how to troubleshoot curl specifically:
1. Explicitly Point to the CA Bundle
If curl is ignoring the global store, you can force it to look at the file we just updated:
curl --cacert /etc/ssl/certs/ca-certificates.crt https://your.server.com/
2. Reinstall the CA Certificates Package
If the error persists, your local CA bundle might be corrupted or outdated. This is a common cause of SSL errors during package updates. A clean reinstall often fixes the plumbing:
sudo apt-get update
sudo apt-get install --reinstall curl ca-certificates
Why You Should Avoid the “Insecure” Flag (-k)
When you are stuck in SSL hell, the temptation to use the -k or --insecure flag is strong.
Don’t do it.
Yes, typing curl -k bypasses the error and gets you your file. But it does so by completely ignoring SSL validation. In a production environment, this is the digital equivalent of leaving your front door unlock because you lost your keys. It leaves you vulnerable to Man-in-the-Middle (MitM) attacks.
Always prefer adding your cert to the CA store (as we did above) over disabling security checks.
Conclusion
SSL certificate issues on Ubuntu can be a major blocker, but they are usually solved by simply ensuring your .crt file is in the right folder and the store is updated. By following these steps, you ensure that curl, apt, and other tools can communicate securely with your custom endpoints.
Got a tricky SSL error that this guide didn’t fix? Drop your error log in the comments below and letโs figure it out.
Leave a Reply