How to Fix Certificate Errors - SSL & Trusted Root Certificates Guide

When working with HTTPS services on Linux, a certificate error, SSL certificate problem, or unable to verify the first certificate may occur. It usually means that the system cannot verify the authenticity of the server's SSL certificate.

Windows Cloud Servers from $5 / moLicense includedTry

In this article, we will analyze the causes of the error and ways to fix it for Windows and Linux-based clients!

Linux

Step 1. Check the error text

When connecting via curl, wget, git, or other utilities, one of the following errors may appear:

This means that:

• There is no root certificate in the system,
• The certificate is not trusted, or
• A self-signed certificate without trusted chains is installed.

Step 2. Update the root certificates

The most common reason is outdated or missing trusted root certificates.

For CentOS / RedOS / RHEL:

For Ubuntu / Debian:

Step 3. Checking the certificate manually

You can verify the SSL certificate chain using openssl:

If the output shows verify error:num=20:unable to get local issuer certificate, it means the chain is incomplete or the client lacks a trusted CA.

Step 4. Add a self-signed certificate

If you use your own certificate (for example, from your own VPN or proxy), you need to add it to the trusted storage.:

Copy the certificate to the system storage:

Update the storage:

For Ubuntu:

Step 5. Bypassing verification (not recommended)

If the certificate is temporarily unavailable or you are working in an isolated environment, you can temporarily disable verification.:

The -k parameter allows you to establish a connection to the server ignoring errors, however, this method may not work if HSTS is installed on the server!

Do not use this in production — it violates the security of the connection.

Windows

Step 1. Checking the error text

The error often looks like this: "SSL certificate problem: unable to get local issuer certificate
certificate verify failed: unable to get local issuer certificate
self signed certificate in certificate chain" or "This site is not secure"

Step 2. Updating root certificates

The Windows operating system automatically updates root certificates through Windows Update. If automatic updates are disabled:

Make sure that the Windows Update Service (wuauserv) is enabled.

Update the system manually:

Or via PowerShell:

Step 3. Install a custom (self-signed) certificate

If you are using a proxy, a corporate network, or a test server with a self-signed SSL certificate:

Adding the certificate manually:

1. Double-click the .crt file.
2. Click Install Certificate.
3. Choose: Local computer or Put it in storage: Trusted root certification authorities

Confirm the installation.

To install on behalf of the local computer, you need administrator rights.

Step 4. For Git: Trust in certificates

Git on Windows uses its own curl and openssl, and may not see the system certificates. To add your own .crt:

Place the certificate in a folder, for example:

Edit the file:

Add the contents of the .crt to the end of the file.

Or specify it manually:

Step 5. For Python / pip

If, when installing packages, it appears:

Use it:

Or add a path to your CA:

Step 6. Temporarily disable verification (not recommended)

For curl, we will use the command:

Let's change the configuration for Git:

The certificate error error most often occurs due to the lack of trusted root certificates or the use of self-signed certificates. In this article, we've figured out how to update root certificates, add your own, and safely fix the error.

Conclusion

Certificate errors are a common obstacle when working with HTTPS services on both Linux and Windows. They typically occur due to missing, outdated, or untrusted root certificates, or the use of self-signed certificates. By updating system root certificates, adding custom certificates to trusted storage, or properly configuring software like Git and Python, you can resolve these issues safely. While temporarily bypassing SSL verification is possible, it should only be used in isolated environments or testing scenarios, as it compromises connection security. Following these steps ensures secure and reliable communication with servers and external services.

FAQ

• Q1: What causes certificate errors in Linux and Windows?
  A: Most certificate errors occur due to missing or outdated root certificates, self-signed certificates, or incomplete certificate chains on the client system.
• Q2: How do I update root certificates on Linux?
  A: On CentOS/RedHat:
  sudo yum install -y ca-certificates
  sudo update-ca-trust force-enable
  sudo update-ca-trust extract

  On Ubuntu/Debian:

  sudo apt update
  sudo apt install -y ca-certificates
  sudo update-ca-certificates
• Q3: How do I trust a self-signed certificate?
  A: Copy the certificate to the system’s trusted storage and update the certificate database. For example, on Ubuntu:
  sudo cp my-ca.crt /usr/local/share/ca-certificates/
  sudo update-ca-certificates
• Q4: Can I bypass certificate verification?
  A: Yes, using commands like curl -k or git config --global http.sslVerify false, but this is not recommended for production environments as it compromises security.
• Q5: How do I fix certificate errors for Git on Windows?
  A: Place your .crt certificate in Git’s certificate folder or configure Git to use it explicitly:
  git config --global http.sslCAInfo "C:/path/to/my-ca.crt"
• Q6: How do I fix certificate errors in Python/pip?
  A: Use the --trusted-host option or set the SSL_CERT_FILE environment variable:
  python -m pip install --trusted-host pypi.org --trusted-host files.pythonhosted.org package_name
  set SSL_CERT_FILE=C:\path\to\my-ca.crt
• Q7: Why should I avoid disabling SSL verification permanently?
  A: Disabling SSL verification bypasses certificate checks, leaving your connection vulnerable to man-in-the-middle attacks and other security risks.