curl, which is a CLI interface for lib
curl, is an essential tool for developers and power users who works with HTTP requests on a daily basis. Beside HTTP,
curl supports a huge number of other protocol, such as DICT, FILE, FTP, FTPS, GOPHER, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, TELNET, and TFTP.
curl is available out of the box or as an easy-to-install package on most Linux distributions or macOS, and now just make its way into Windows recently.
In this article, you’ll learn about cURL "failed to verify the legitimacy of the server" error and discover a few possible fixes when you encounter this message.
The reason for "failed to verify the legitimacy of the server"
Transfer of sensitive information is typically done under the cover of digital certificates. The certificate will help confirm to the recipient that the sender is actually who they claim they are.
Digital certificates are issued by certificate authorities or CAs. A list of trusted certificate authorities and their root certificates are installed on a server when a digital certificate is applied to the server.
For transactions over HTTPS this information will be exchanged for communication. When a server CA is received via cURL that isn’t signed by one of the trusted certificates in the installed CA certificate store, this will cause SSL to report an error ("failed to verify the legitimacy of the server") during the handshake. SSL will then refuse further communication with that server.
"Failed to verify the legitimacy of the server" is an error message that happens only on HTTPS connections. It simply indicates that the server that you’re trying to connect to contains invalid certificate that cannot be verified, thus the connection to it cannot be made.
The full error message may look like what’s shown below.
curl: (60) SSL certificate problem: self signed certificate in certificate chain More details here: https://curl.haxx.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.
In a few rare cases, the message may indicates that you’re being attacked by a man-in-the-middle attacker who masquerade their server as a popular website.
Quick fix : disable strict certificate checking
If you just want a quick workaround to get rid of the message, you can try disable
curl strict certificate checking by using
curl -k https://random.com
--insecure switch achieve the same result.
curl -insecure https://random.com
man curl | less +/--insecure shows us detailed information about
-k switch usage.
-k, --insecure (TLS) By default, every SSL connection curl makes is verified to be secure. This option allows curl to proceed and operate even for server connections otherwise considered insecure. The server connection is verified by making sure the server's certificate contains the right name and verifies successfully using the cert store. See this online resource for further details: https://curl.haxx.se/docs/sslcerts.html See also --proxy-insecure and --cacert
Disable curl SSL certificate validating
If you feel that manually passing
-k switch every time you make a request is too time-consuming, you can also set
curl to always use the switch by writing it to
.curlrc configuration file. Open up a terminal window and run the following command :
echo insecure >> $HOME/.curlrc