When working with HTTPS services on Linux, a certificate error, SSL certificate problem, or unable to verify the first certificate may occur. It usually means that the system cannot verify the authenticity of the server's SSL certificate.
In this article, we will analyze the causes of the error and ways to fix it for Windows and Linux-based clients!
Linux
Step 1. Check the error text
When connecting via curl, wget, git, or other utilities, one of the following errors may appear:
SSL certificate problem: unable to get local issuer certificate
SSL certificate problem: self signed certificate
certificate verify failed
This means that:
- There is no root certificate in the system,
- The certificate is not trusted, or
- A self-signed certificate without trusted chains is installed.
Step 2. Update the root certificates
The most common reason is outdated or missing trusted root certificates.
For CentOS / RedOS / RHEL:
sudo yum install -y ca-certificates
sudo update-ca-trust force-enable
sudo update-ca-trust extract
For Ubuntu / Debian:
sudo apt update
sudo apt install -y ca-certificates
sudo update-ca-certificates

Step 3. Checking the certificate manually
You can verify the SSL certificate chain using openssl:
openssl s_client -connect example.com:443

If the output shows verify error:num=20:unable to get local issuer certificate, it means the chain is incomplete or the client lacks a trusted CA.
Step 4. Add a self-signed certificate
If you use your own certificate (for example, from your own VPN or proxy), you need to add it to the trusted storage.:
Copy the certificate to the system storage:
sudo cp my-ca.crt /etc/pki/ca-trust/source/anchors/
Update the storage:
sudo update-ca-trust extract
For Ubuntu:
sudo cp my-ca.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates
Step 5. Bypassing verification (not recommended)
If the certificate is temporarily unavailable or you are working in an isolated environment, you can temporarily disable verification.:
curl -k https://example.com

The -k parameter allows you to establish a connection to the server ignoring errors, however, this method may not work if HSTS is installed on the server!
git config --global http.sslVerify false
Do not use this in production — it violates the security of the connection.
Windows
Step 1. Checking the error text
The error often looks like this: "SSL certificate problem: unable to get local issuer certificate
certificate verify failed: unable to get local issuer certificate
self signed certificate in certificate chain" or "This site is not secure"
Step 2. Updating root certificates
The Windows operating system automatically updates root certificates through Windows Update. If automatic updates are disabled:
Make sure that the Windows Update Service (wuauserv) is enabled.
Update the system manually:
control update
Or via PowerShell:
Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
Install-Module -Name PSWindowsUpdate -Force
Install-WindowsUpdate -AcceptAll -AutoReboot
Step 3. Install a custom (self-signed) certificate
If you are using a proxy, a corporate network, or a test server with a self-signed SSL certificate:
Adding the certificate manually:
- Double-click the .crt file.
- Click Install Certificate.
- Choose: Local computer or Put it in storage: Trusted root certification authorities
Confirm the installation.
To install on behalf of the local computer, you need administrator rights.
Step 4. For Git: Trust in certificates
Git on Windows uses its own curl and openssl, and may not see the system certificates. To add your own .crt:
Place the certificate in a folder, for example:
C:\Program Files\Git\mingw64\ssl\certs\my-ca.crt
Edit the file:
C:\Program Files\Git\mingw64\ssl\cert.pem
Add the contents of the .crt to the end of the file.
Or specify it manually:
git config --global http.sslCAInfo "C:/path/to/my-ca.crt"
Step 5. For Python / pip
If, when installing packages, it appears:
SSL: CERTIFICATE_VERIFY_FAILED
Use it:
python -m pip install --trusted-host pypi.org --trusted-host files.pythonhosted.org package_name
Or add a path to your CA:
set SSL_CERT_FILE=C:\path\to\my-ca.crt
Step 6. Temporarily disable verification (not recommended)
For curl, we will use the command:
curl -k https://example.com
Let's change the configuration for Git:
git config --global http.sslVerify false
The certificate error error most often occurs due to the lack of trusted root certificates or the use of self-signed certificates. In this article, we've figured out how to update root certificates, add your own, and safely fix the error.