cURL is not only a tool to make HTTP/HTTPS requests, it's a de-facto way to send and receive data from the internet using multiple protocols.
In this article, you'll learn how to fix cURL "Invalid certificate chain", which is a common error message generally occurs when the user make a request to the server.
Understanding Certificate Chain
We already know that in order to prove legitimacy, web servers needs to authenticate requests with a certificate of its own (SSL server certificate).
SSL server certificates are issued and signed by certification authorities (CAs) using the the CA's own certificates.
With SSL server certificates issued by public certification authorities (Let's Encrypt, Comodo, etc.) are typically signed by intermediate certificates. Those intermediate certificates may themselves be issued by other intermediate certificates belonging to the CAs.
The highest level of all that is a root certificate, which is used only by certification authorities and is signed by itself.
To sum it up, operating systems and browsers only store a handful Root Certificates and all the other certificates have to trace their origin back to one of those root certificates.
"Invalid certificate chain" error message indicates that there may have been some irregularities in one of the intermediate certificates or the server certificate itself (since the Root Certificates are well-maintained by a handful of experts to ensure smooth internet around the world, so it's not likely to be the problem source.)
Disable SSL verification
If you just want a quick workaround to get rid of the "invalid certificate chain" error, you can try disable
curl SSL verification using the
-k switch like we've mentioned in How to fix “failed to verify the legitimacy of the server” error with cURL.
curl -k https://random.com
Manually trust the certificate (macOS only)
On MacOS, you can manually trust the server certificate by using the Safari browser (not Chrome, Firefox or Opera) on Mac OS X 10.9 (Mavericks) and visit the URL that causes the error. For example, s3.hellopages.com.
Click the Show certificate button and then check the checkbox labelled Always trust. Finally, click Continue and input your password if required.
Disable http.sslVerify (Git users only)
Git uses curl internally to make requests and receive data from the internet. If you see something like this, you may have to disable SSL verification for things to work.
fatal: unable to access 'https://github.com/Homebrew/homebrew/': SSL certificate problem: Invalid certificate chain Error: Failure while executing: git pull -q origin refs/heads/master:refs/remotes/origin/master
In order to disable SSL verification, pass
--global http.sslVerify false into
git config --global http.sslVerify false
The solution is far from perfect, but at least it gets the job done.
Debug certiticate chain using free online tools
There are numerous online tools that can analyze and point out what is wrong with your website. One of my favorites is https://www.digicert.com/help/
The site checks for common server certificates configuration errors and show you the problem marked with a nice red cross.
With that info, you can clearly see where the problem comes from and how you can solve it quickly.
Alternatively, there are a few more free service that does the same thing.