curl / Mailing Lists / curl-users / Single Mail


Re: Using curl behind a proxy: unable to get local issuer certificate

From: Ray Satiro <>
Date: Tue, 30 Jan 2018 16:32:31 -0500

On 1/29/2018 4:53 AM, Daniel Stenberg wrote:
> On Sat, 27 Jan 2018, 杜秀涛 via curl-users wrote:
>> I want to visit, in a linux server. I have set
>> environment
>> variable HTTP_PROXY and HTTPS_PROXY, when I issued this command:
>> *% curl -LO
>> <>*
>> I got this error: *unable to get local issuer certificate*
> This error is usually what you get when the server doesn't send you
> the full set of certificates. Usually there's a missing intermediate
> certificate.
> Athough in this case, I can curl this site just fine so I would
> perhaps rather suspect that your CA store is incomplete / out-of-date?
>> When I was trying to solve the problem, I found that, the certificate
>> my browser and the openssl showcerts command shows different while
>> they were using the same proxy.
>> In my browser, I got certificates like this:
>> *SECOND: <>*
> Having your company accepted in the browser's CA store is a sign that
> you're using a MITM proxy and your traffic is intercepted and
> inspected. That is intself not a reason for an error, but perhaps you
> don't have your company's CA cert in your CA store for your curl command?
>> I want to know why,
> I don't know! It's not a common scenario...

I agree. Run curl with -v and check the server certificate and issuer.
Also check the CA certificate locations which are shown in this format:

* successfully set certificate verify locations:
*   CAfile: /foo/bar
  CApath: none

Received on 2018-01-30