When working with HTTPS services on Linux, a certificate error, SSL certificate problem, or unable to verify the first certificate may occur. It usually means that the system cannot verify the authenticity of the server's SSL certificate.
In this article, we will analyze the causes of the error and ways to fix it for Windows and Linux-based clients!
Linux
Step 1. Check the error text
When connecting via curl, wget, git, or other utilities, one of the following errors may appear:
SSL certificate problem: self signed certificate
certificate verify failed
This means that:
- There is no root certificate in the system,
- The certificate is not trusted, or
- A self-signed certificate without trusted chains is installed.
Step 2. Update the root certificates
The most common reason is outdated or missing trusted root certificates.
For CentOS / RedOS / RHEL:
sudo update-ca-trust force-enable
sudo update-ca-trust extract
For Ubuntu / Debian:
sudo apt install -y ca-certificates
sudo update-ca-certificates
Step 3. Checking the certificate manually
You can verify the SSL certificate chain using openssl:
If the output shows verify error:num=20:unable to get local issuer certificate, it means the chain is incomplete or the client lacks a trusted CA.
Step 4. Add a self-signed certificate
If you use your own certificate (for example, from your own VPN or proxy), you need to add it to the trusted storage.:
Copy the certificate to the system storage:
Update the storage:
For Ubuntu:
sudo update-ca-certificates
Step 5. Bypassing verification (not recommended)
If the certificate is temporarily unavailable or you are working in an isolated environment, you can temporarily disable verification.:
The -k parameter allows you to establish a connection to the server ignoring errors, however, this method may not work if HSTS is installed on the server!
Do not use this in production — it violates the security of the connection.
Windows
Step 1. Checking the error text
The error often looks like this: "SSL certificate problem: unable to get local issuer certificate
certificate verify failed: unable to get local issuer certificate
self signed certificate in certificate chain" or "This site is not secure"
Step 2. Updating root certificates
The Windows operating system automatically updates root certificates through Windows Update. If automatic updates are disabled:
Make sure that the Windows Update Service (wuauserv) is enabled.
Update the system manually:
Or via PowerShell:
Install-Module -Name PSWindowsUpdate -Force
Install-WindowsUpdate -AcceptAll -AutoReboot
Step 3. Install a custom (self-signed) certificate
If you are using a proxy, a corporate network, or a test server with a self-signed SSL certificate:
Adding the certificate manually:
- Double-click the .crt file.
- Click Install Certificate.
- Choose: Local computer or Put it in storage: Trusted root certification authorities
Confirm the installation.
To install on behalf of the local computer, you need administrator rights.
Step 4. For Git: Trust in certificates
Git on Windows uses its own curl and openssl, and may not see the system certificates. To add your own .crt:
Place the certificate in a folder, for example:
Edit the file:
Add the contents of the .crt to the end of the file.
Or specify it manually:
Step 5. For Python / pip
If, when installing packages, it appears:
Use it:
Or add a path to your CA:
Step 6. Temporarily disable verification (not recommended)
For curl, we will use the command:
Let's change the configuration for Git:
The certificate error error most often occurs due to the lack of trusted root certificates or the use of self-signed certificates. In this article, we've figured out how to update root certificates, add your own, and safely fix the error.