How to fix cURL “Invalid certificate chain” error

cURL is not only a tool to make HTTP/HTTPS requests, it's a de-facto way to send and receive data from the internet using multiple protocols.

In this article, you'll learn how to fix cURL "Invalid certificate chain", which is a common error message generally occurs when the user make a request to the server.

Understanding Certificate Chain

We already know that in order to prove legitimacy, web servers needs to authenticate requests with a certificate of its own (SSL server certificate).

SSL server certificates are issued and signed by certification authorities (CAs) using the the CA's own certificates.

With SSL server certificates issued by public certification authorities (Let's Encrypt, Comodo, etc.) are typically signed by intermediate certificates. Those intermediate certificates may themselves be issued by other intermediate certificates belonging to the CAs.

The highest level of all that is a root certificate, which is used only by certification authorities and is signed by itself.

img

To sum it up, operating systems and browsers only store a handful Root Certificates and all the other certificates have to trace their origin back to one of those root certificates.

"Invalid certificate chain" error message indicates that there may have been some irregularities in one of the intermediate certificates or the server certificate itself (since the Root Certificates are well-maintained by a handful of experts to ensure smooth internet around the world, so it's not likely to be the problem source.)

Disable SSL verification

If you just want a quick workaround to get rid of the "invalid certificate chain" error, you can try disable curl SSL verification using the -k switch like we've mentioned in How to fix “failed to verify the legitimacy of the server” error with cURL.

curl -k https://random.com

Manually trust the certificate (macOS only)

On MacOS, you can manually trust the server certificate by using the Safari browser (not Chrome, Firefox or Opera) on Mac OS X 10.9 (Mavericks) and visit the URL that causes the error. For example, s3.hellopages.com.

image-20210622165853567

Click the Show certificate button and then check the checkbox labelled Always trust. Finally, click Continue and input your password if required.

image-20210622165911915

Disable http.sslVerify (Git users only)

Git uses curl internally to make requests and receive data from the internet. If you see something like this, you may have to disable SSL verification for things to work.

fatal: unable to access 'https://github.com/Homebrew/homebrew/': SSL certificate problem: Invalid certificate chain
Error: Failure while executing: git pull -q origin refs/heads/master:refs/remotes/origin/master

In order to disable SSL verification, pass --global http.sslVerify false into git config.

git config --global http.sslVerify false

The solution is far from perfect, but at least it gets the job done.

Debug certiticate chain using free online tools

There are numerous online tools that can analyze and point out what is wrong with your website. One of my favorites is https://www.digicert.com/help/

The site checks for common server certificates configuration errors and show you the problem marked with a nice red cross.

image-20210622170714081

With that info, you can clearly see where the problem comes from and how you can solve it quickly.

Alternatively, there are a few more free service that does the same thing.

Click to rate this post!
[Total: 27 Average: 5]

Leave a Comment