Skip to content

curl (77) problem with the SSL CA cert

Key idea:

curl exits with 77 (CURLE_SSL_CACERT_BADFILE) when the CA bundle file it was pointed at is missing or unreadable. Three causes: (1) /etc/ssl/certs/ca-certificates.crt missing — the ca-certificates package is not installed, (2) inside a container (alpine, scratch) the CA bundle is absent, (3) the CURL_CA_BUNDLE env var points at a non-existent file.

Below: details, example, related, FAQ.

Check your site's SSL →

Details

  • Default bundle paths: /etc/ssl/certs/ca-certificates.crt (Debian), /etc/pki/tls/certs/ca-bundle.crt (RHEL)
  • Alpine: apk add ca-certificates; then update-ca-certificates
  • Docker scratch: copy the bundle from an unpacked image
  • --cacert /path/to/ca.pem — per-request override
  • -k / --insecure skips verify — debug only, never production

Example

# Debian/Ubuntu: install bundle
$ apt-get install ca-certificates

# Alpine (Docker)
$ apk add --no-cache ca-certificates
$ update-ca-certificates

# Debug — which bundle curl sees
$ curl -v https://example.com 2>&1 | grep -i "CAfile\|CApath"

# Default via env
$ export CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt

Related

Understanding CA Certificates and Their Importance

CA certificates are crucial for establishing secure connections over the internet. They are used to verify the authenticity of SSL/TLS certificates presented by servers, ensuring that data transmitted between clients and servers remains secure.

When curl encounters a curl error 77, it indicates that the CA certificate bundle is either missing or unreadable. This can lead to failed HTTPS requests, which can compromise the security of data transfers.

Here are key points to understand about CA certificates:

  • Root Certificate Authorities (CAs): These are trusted entities that issue and manage digital certificates. Browsers and operating systems maintain a list of trusted root CAs.
  • Intermediate Certificates: These serve as a bridge between the root CA and the SSL certificates installed on servers. They help establish a chain of trust.
  • CA Bundle: A CA bundle is a file that contains multiple CA certificates. It is used by tools like curl to validate the SSL certificates presented by servers.

Understanding the role of CA certificates can help you troubleshoot issues related to SSL connections and fix curl error 77 efficiently.

Troubleshooting Common Causes of curl Error 77

Encountering curl error 77 can be frustrating, but knowing how to troubleshoot the common causes can save you time and effort. Here are some steps to identify and resolve the issue:

  • Check CA Bundle Path: First, verify the path to your CA bundle. Run the following command:
ls -l /etc/ssl/certs/ca-certificates.crt

If the file does not exist, you may need to install or reinstall the CA certificates package:

sudo apt-get install ca-certificates
  • Check Permissions: Ensure that the CA bundle file has the correct permissions. You can check this with:
stat /etc/ssl/certs/ca-certificates.crt

Make sure the file is readable by the user running the curl command.

  • Using Containers: If you are working within a container, ensure that the CA certificates are installed. For example, in an Alpine-based container, you can add CA certificates with:
RUN apk add --no-cache ca-certificates

After making these changes, try running your curl command again to see if the error persists.

Configuring CURL_CA_BUNDLE Environment Variable

The CURL_CA_BUNDLE environment variable allows you to specify a custom CA certificate bundle for curl. If this variable points to a non-existent or inaccessible file, it can trigger curl error 77. Here’s how to configure it correctly:

To set the CURL_CA_BUNDLE variable, use the following command:

export CURL_CA_BUNDLE=/path/to/your/ca-bundle.crt

Replace /path/to/your/ca-bundle.crt with the actual path to your CA bundle file. Ensure that the file exists and is readable:

  • Verify the file:
ls -l /path/to/your/ca-bundle.crt

If the file is missing, you will need to obtain a valid CA bundle. You can download a CA bundle from curl's official website.

After setting the environment variable, you can test your curl command:

curl https://example.com

If the command executes successfully, it indicates that the CURL_CA_BUNDLE variable is configured correctly. If you continue to face issues, recheck the path and permissions of the specified CA bundle.

CertificateExpiry, issuer, domains (SAN)
ChainIntermediate and root CA validation
TLS ProtocolTLS version and cipher suite
VulnerabilitiesHeartbleed, POODLE, weak ciphers

Why teams trust us

TLS 1.3
supported
Full
CA chain check
<2s
result
30/14/7
days-to-expiry alerts

How it works

1

Enter domain

2

TLS chain verified

3

Expiry date & vulnerabilities

What Does the SSL Check Cover?

SSL/TLS is the encryption protocol that protects data between the browser and server. Our tool analyzes the certificate, chain of trust, TLS version, and knownvulnerabilities.

Certificate Details

Issuer, validity period, signature algorithm, covered domains (SAN), and validation type (DV/OV/EV).

Chain of Trust

Full chain verification: from leaf certificate through intermediates to root CA.

TLS Analysis

Protocol version (TLS 1.2/1.3), cipher suites, Perfect Forward Secrecy (PFS) support.

Expiry Alerts

Set up a monitor — get Telegram and email alerts 30/14/7 days before expiration.

DV vs OV vs EV Certificates

DV (Domain Validation)
  • Confirms domain ownership only
  • Issued in minutes automatically
  • Free via Let's Encrypt
  • Suitable for most websites
  • Most common certificate type
OV / EV
  • Organization (OV) or Extended Validation (EV)
  • Issued in 1-5 business days
  • Costs $50 to $500/year
  • For finance, e-commerce, government sites
  • Increases user trust

Who uses this

DevOps

SSL certificate monitoring

Security

TLS config audit

SEO

HTTPS as ranking factor

E-commerce

customer trust

Common Mistakes

Expired certificateBrowsers block sites with expired SSL. Set up auto-renewal or monitoring.
Incomplete certificate chainWithout intermediate CA, some browsers and bots cannot verify the certificate.
Mixed content on HTTPS siteHTTP resources on an HTTPS page — the browser lock icon disappears, reducing trust.
Using TLS 1.0/1.1Legacy TLS versions have known vulnerabilities. Use TLS 1.2+ or 1.3.
Domain mismatch in certificateThe certificate must cover all site domains, including www and subdomains.

Best Practices

Set up auto-renewalLet's Encrypt + certbot with cron — certificate renews automatically every 60-90 days.
Enable HSTSStrict-Transport-Security header forces browsers to always use HTTPS.
Use TLS 1.3TLS 1.3 is faster (1-RTT handshake) and safer — legacy ciphers removed.
Monitor expiration datesCreate a monitor on Enterno.io — get notified well before expiration.
Verify chain after renewalAfter certificate renewal, confirm that intermediate certificates are installed.

Get more with a free account

SSL certificate monitoring, check history and alerts 30 days before expiry.

Sign up free

Learn more

Sources

Frequently Asked Questions

Alpine Docker — safe?

Yes if you add ca-certificates. Scratch — you need to copy the bundle from a builder image.

CI / CD?

Images like alpine:latest usually ship ca-certificates. gcr.io/distroless/base too. Check your Dockerfile.

Self-signed?

Either --cacert pointing at the self-signed CA, or import into the system bundle via update-ca-certificates.

Try the live tool that powered this guide

Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.