Why does curl not trust letsencrypt?

When a PHP site makes a CURL call into a site protected with a Lets Encrypt cert it fails with this error:

  • SSL certificate problem: unable to get local issuer certificate

I took a cursory glance at cacert.pem installed and found no mention of Lets Encrypt. Is it not included in CURL's cacert.pem? Why? Is it possible to add it?

1 Like

Yes, most modern systems will have the Let's Encrypt root cert.

What operating system are you using?
What version is it?
What is an example URL if the failing site? (the site may be mis-configured, we'll check)

What happens with this command? (just show first few lines if not an error)

curl -I https://community.letsencrypt.org

CURL can successfully download from sites with other issuers' certs, for example from Youtube. The site is behind a tightly locked FW, so I do not have much freedom in testing other sites.
The site on which CURL fails is considered secure by browsers, and having reviewed Letsencrypt cert installation documents I do not see any possibility for "misconfiguration": the cert is copied from live folder to Apache SSL.crt and SSL.key folders, then Apache loads them. What specifically could be misconfigured despite modern browsers considering the connection secure?

Meanwhile, are you able to review curl's latest cert and point me at the specific block within it, for Letsencrypt?

If the site is only sending the leaf cert rather than the full chain then browsers often adapt to the wrong config. But, tools like curl and openssl will not adapt and report an error.

  • What program did you use to get the Let's Encrypt certs for the server?
  • If certbot, what file did you copy to "SSL.crt"? Was it cert.pem or fullchain.pem?
  • What is the URL of the failing site? Or at least the domain name.

The CA Root store is part of each OS distribution. When using curl, inside or within php, you can also override the system CA Root store. Let's sort out the server config first and we can advise about the root store after if still needed.


If any root certs in the YouTube's chain is more than 5 years old, it is likely in your CURL cacert.pem file.

Search the cacert.pem file for this serial# 172886928669790476064670243504169061120
[which is for "ISRG Root X1"]


This is it! It was cert. Copied fullchain and CURL now trusts it. Thanks a whole lot!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.