cURL Certificate Problem - server certificate verification failed

If your build uses curl with HTTPS urls, you might have started to encounter an error. If so, it may look something like this:

curl: (60) SSL certificate problem: certificate has expired
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

If you are using the CircleCI Linux machine image:

jobs:                                                                                             
  build:                                                                                          
    machine:                                                                                      
      image: ubuntu-1604:202004-01

then a simple workaround for this issue is to manually update the ca-certificates package. You can do this in your build, before using curl, like this:

sudo apt-get update && sudo apt-get install -y ca-certificates

This problem only occurs with the combination of some HTTPS urls (not all) and an older ca-certificates package. If you already update packages with apt-get update that will include the update for ca-certificates as well.

I’m having this issue since yesterday when circleci executes: curl -o- -L https://yarnpkg.com/install.sh.
I’m using the circleci/node:14.16 image. How can I get rid of this error ?

3 Likes

We are also running into the same issue since yesterday for curl -o- -L https://yarnpkg.com/install.sh using the circleci/ruby:2.6.2-stretch image in docker

Manually running sudo apt-get update && sudo apt-get install -y ca-certificates did not fix the issue.

On investigation, it looks as though the CircleCI server running the curl command is able to validate the certificate used by yarnpkg.com, but yarnpkg.com 301 redirects the curl request to classic.yarnpkg.com/install.sh to download the resource. The curl request is unable to validate the certificate for classic.yarnpkg.com.

The certificate used by classic.yarnpkg.com has only been valid since 10 days ago:

> openssl s_client -servername classic.yarnpkg.com -connect classic.yarnpkg.com:443 2>/dev/null | openssl x509 -noout -dates
notBefore=Sep 20 16:00:27 2021 GMT
notAfter=Dec 19 16:00:26 2021 GMT

On other machines, I am able to successfully use curl to retrieve this resource - @FelicianoTech, is it possible that the CircleCI images are unable to validate the newly valid certificate, even after the manual cert bundle refresh?

Thank you!!

1 Like

Swapping out the curl call for:

npm install --global yarn

Worked great for me

Same for me here, anybody found anything for this one?

This resolve for me, I hope help you too:

This resolved my issue!

We had the issue with circleci/node:14.17.5, upgrading to circleci/node:14.18.0 fixed it.

I’m also experiencing this issue.
If you add the -k flag to your curl request it will work, although I highly advise against this and hope someone else has a better fix :joy:

I started seeing this error sometime this morning. I’m using

    machine:
      image: ubuntu-2204:2023.04.2
      resource_class: large

I added this before the curl
sudo apt-get update && sudo apt-get install -y ca-certificates

But curl is still failling:

Updating certificates in /etc/ssl/certs...
rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
19 added, 6 removed; done.
Processing triggers for man-db (2.10.2-1) ...
Processing triggers for ca-certificates (20230311ubuntu0.22.04.1) ...
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...

done.
done.
NEEDRESTART-VER: 3.5
NEEDRESTART-KCUR: 5.19.0-1022-aws
NEEDRESTART-KEXP: 5.19.0-1022-aws
NEEDRESTART-KSTA: 1
curl: (60) SSL: no alternative certificate subject name matches target host name 'objects.githubusercontent.com'
More details here: https://curl.se/docs/sslcerts.htm

l

I am experiencing the same problem since today.

curl: (60) SSL: no alternative certificate subject name matches target host name 'dl.google.com'
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.```