curl exits with 77 (CURLE_SSL_CACERT_BADFILE) when the CA bundle file it was pointed at is missing or unreadable. Three causes: (1) /etc/ssl/certs/ca-certificates.crt missing — the ca-certificates package is not installed, (2) inside a container (alpine, scratch) the CA bundle is absent, (3) the CURL_CA_BUNDLE env var points at a non-existent file.
Below: details, example, related, FAQ.
Free online tool — SSL certificate checker: instant results, no signup.
# Debian/Ubuntu: install bundle
$ apt-get install ca-certificates
# Alpine (Docker)
$ apk add --no-cache ca-certificates
$ update-ca-certificates
# Debug — which bundle curl sees
$ curl -v https://example.com 2>&1 | grep -i "CAfile\|CApath"
# Default via env
$ export CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crtCA certificates are crucial for establishing secure connections over the internet. They are used to verify the authenticity of SSL/TLS certificates presented by servers, ensuring that data transmitted between clients and servers remains secure.
When curl encounters a curl error 77, it indicates that the CA certificate bundle is either missing or unreadable. This can lead to failed HTTPS requests, which can compromise the security of data transfers.
Here are key points to understand about CA certificates:
curl to validate the SSL certificates presented by servers.Understanding the role of CA certificates can help you troubleshoot issues related to SSL connections and fix curl error 77 efficiently.
Encountering curl error 77 can be frustrating, but knowing how to troubleshoot the common causes can save you time and effort. Here are some steps to identify and resolve the issue:
ls -l /etc/ssl/certs/ca-certificates.crtIf the file does not exist, you may need to install or reinstall the CA certificates package:
sudo apt-get install ca-certificatesstat /etc/ssl/certs/ca-certificates.crtMake sure the file is readable by the user running the curl command.
RUN apk add --no-cache ca-certificatesAfter making these changes, try running your curl command again to see if the error persists.
The CURL_CA_BUNDLE environment variable allows you to specify a custom CA certificate bundle for curl. If this variable points to a non-existent or inaccessible file, it can trigger curl error 77. Here’s how to configure it correctly:
To set the CURL_CA_BUNDLE variable, use the following command:
export CURL_CA_BUNDLE=/path/to/your/ca-bundle.crtReplace /path/to/your/ca-bundle.crt with the actual path to your CA bundle file. Ensure that the file exists and is readable:
ls -l /path/to/your/ca-bundle.crtIf the file is missing, you will need to obtain a valid CA bundle. You can download a CA bundle from curl's official website.
After setting the environment variable, you can test your curl command:
curl https://example.comIf the command executes successfully, it indicates that the CURL_CA_BUNDLE variable is configured correctly. If you continue to face issues, recheck the path and permissions of the specified CA bundle.
SSL/TLS is the encryption protocol that protects data between the browser and server. Our tool analyzes the certificate, chain of trust, TLS version, and knownvulnerabilities.
Issuer, validity period, signature algorithm, covered domains (SAN), and validation type (DV/OV/EV).
Full chain verification: from leaf certificate through intermediates to root CA.
Protocol version (TLS 1.2/1.3), cipher suites, Perfect Forward Secrecy (PFS) support.
Set up a monitor — get Telegram and email alerts 30/14/7 days before expiration.
SSL certificate monitoring
TLS config audit
HTTPS as ranking factor
customer trust
www and subdomains.Strict-Transport-Security header forces browsers to always use HTTPS.SSL certificate monitoring, check history and alerts 30 days before expiry.
Sign up freeYes if you add ca-certificates. Scratch — you need to copy the bundle from a builder image.
Images like alpine:latest usually ship ca-certificates. gcr.io/distroless/base too. Check your Dockerfile.
Either --cacert pointing at the self-signed CA, or import into the system bundle via update-ca-certificates.
Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.