Bobcares

Curl error 77 problem with the SSL CA cert – Root causes and fix

by | Jul 1, 2020

Are you facing a curl error 77 problem with the SSL CA cert while curling an SSL website?

One of the main reasons for this error is that the SSL chain certificate files on the server are broken or missing.

At Bobcares, we help our customers fix similar SSL errors as part of our Server Management Services.

Today, let’s discuss the details of how to fix this error.

What is curl error 77 problem with the SSL CA cert?

Curl error 77 error is a server-side error.  This error indicated that the chain certificate files are missing or “broken”. Usually, this error happens simply by outdated SSL certificate(s) for cURL installed on the server.  Also, the wrong or incomplete configuration settings on the server can trigger an error on the website.

The error looks like,

Frequently, some websites’ PHP scripts may fail with curl error 77 in Plesk servers.  Then the website shows the following error:

cURL error (77): Problem with the SSL CA cert (path? access rights?)cURL error (77): Problem with the SSL CA cert (path? access rights?)

This error occurs when PHP cURL uses an outdated set of root certificates to verify server certificates.

 

How to Fix Curl Error 77

  1. First, check if the necessary CA certificate files exist on the server. The critical files are:
    • /etc/pki/tls/certs/ca-bundle.crt
    • /etc/pki/tls/certs/ca-bundle.trust.crt

    Then, run this command to verify their existence:

    ls -l /etc/pki/tls/certs/ca-bundle.crt
    ls -l /etc/pki/tls/certs/ca-bundle.trust.crt

    If these files are missing or corrupted, we have to restore them.

  2. If the CA certificate files are corrupted or missing, we can remove and reinstall the CA certificates using the following commands:


    # Remove the existing CA bundle
    rm -f /etc/ssl/certs/ca-bundle.crt

    • For CentOS or RHEL, run:

      yum update ca-certificates

    • For Ubuntu or Debian, use:

      apt-get update

    Then, run this command:

    apt-get install --reinstall ca-certificates

  3. For Plesk servers, we have to update the configuration to resolve cURL error 77. Add the following configuration to the panel.ini file. The default path for Plesk is:

    %plesk_dir% = C:\Program Files (x86)\Plesk\

    Add this section to %plesk_dir%admin\conf\panel.ini:

    curlCertificatesUrl="http://curl.haxx.se/ca/cacert.pem"

    This setting directs Plesk to use the specified URL for the CA certificates.

  4. Sometimes, cURL requests may fail for cPanel users while the root user can execute them without issues.

    To resolve this, ensure that the user has the necessary permissions to access the /etc/pki directory. We can check the permissions using:

    ls -ld /etc/pki

    If the user has jailed SSH access, we can grant them full access or adjust their permissions accordingly. We can change the permissions with:

    chmod 755 /etc/pki

  5. If we are using PHP, make sure that the curl.cainfo directive in the php.ini file is correctly set to point to the CA bundle. Open the php.ini file and add or modify the following line:

    curl.cainfo="/etc/ssl/certs/ca-bundle.crt"

    If we are on shared hosting, you may also need to add this line to the .user.ini file located in the public_html folder.

  6. After making changes to SSL configurations or updating packages, it’s essential to restart the PHP and web server services to apply the changes.
  7. Sometimes, the symbolic link to the CA bundle might be missing or broken. We can check and create it as follows:

    # Check if the symlink exists
    ls -l /etc/pki/tls/certs/ca-bundle.crt
    # If it does not exist, create it
    ln -s /etc/ssl/certs/ca-bundle.crt /etc/pki/tls/certs/ca-bundle.crt

  8. If we are using tools like Composer and encountering cURL error 77, make sure that we have the latest version of Composer installed. We can download it from the official site:

    php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
    php composer-setup.php --install-dir=/usr/local/bin –filename=composer

  9. If we are using a system that relies on NSS, it has to be properly installed and updated. We can update NSS with:

    yum update nss

Alternative Solution

If we still see cURL error 77, a firewall or security software may be blocking cURL requests. Here’s how to check and fix this:

  1. Turn off the firewall to see if it fixes the error:
    • For Linux (Ubuntu/Debian):

      sudo ufw disable

    • For Linux (CentOS/RHEL):

      sudo systemctl stop firewalld

    • For Windows:

      First, open Windows Defender Firewall, go to “Inbound Rules” and “Outbound Rules,” right-click each rule, and select “Disable Rule.”

      After this, run the cURL command again.

  2. Additionally, look at the antivirus or anti-malware settings. Make sure they are not blocking cURL.
  3. Add cURL or the URL we want to access to the whitelist in the security software.
  4. Make sure the security software is up to date.
  5. Open the software, check for updates, and install them. Restart the system afterward.
  6. As a last resort, turn off the security software to see if it helps.
  7. Open the software, find the option to disable protection, and apply the changes. Restart if needed.

Preventing cURL Error 77

  • Keep the CA certificates up to date to avoid issues with outdated or missing certificates.
  • Regularly check for system updates, especially for NSS and CA certificates, to prevent potential issues.
  • Ensure the firewall and security software allow cURL requests without interference by creating necessary exceptions.
  • Restart relevant services after updates to ensure they are using the latest configurations.
  • Specify the CA certificate file with the –cacert option in cURL to help it locate the correct certificate.
  • Verify that the permissions for CA certificate files and directories are correctly set for the user running cURL.
  • Set up monitoring for SSL/TLS configurations and cURL operations to receive alerts about any failures or issues.

Other common SSL certificate problem

Similarly, the error SSL certificate problem: Unable to get local issuer certificate can occur when a self-signed certificate cannot be verified or it shows that the root certificates on the system are not working correctly.

Also, It is important to note that this applies to the system sending the CURL request, and NOT the server receiving the request.

To fix the error,

1. Initially, download cacert.pem. from https://curl.haxx.se/ca/cacert.pem

2. Add the following line to php.ini:

curl.cainfo="/path/to/downloaded/cacert.pem"

Furthermore, if the server is shared hosting, add the above value to .user.ini file in the public_html folder.

3. Restart PHP

Now, CURL is able to read HTTPS URL without any error.

 

[Need assistance to fix curl error 77?- We’re available 24/7.]

 

Conclusion

In short, the curl error 77 problem with the SSL CA cert occurs when SSL chain certificate files are missing or broken. Today, we saw how our Support Engineers fixed this error.

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

var google_conversion_label = "owonCMyG5nEQ0aD71QM";

6 Comments

  1. karthini

    i open the roblox and it cannot open it says error (httperror:curl: 77)like this.i dont how to fix,help me i want to play roblox….help me

    Reply
    • Hiba Razak

      Hi,
      Please contact our support team via live chat(click on the icon at right-bottom)

      Reply
  2. Sharon Sasporta

    It didn’t work for me

    Reply
    • Hiba Razak

      Hi,
      Please contact our support team via live chat(click on the icon at right-bottom)

      Reply
  3. Ravi Ranjan

    This issue generally encountered if docker or Kubernetes repos are included in the yum repo e.g.

    [root@centos-8-slave ~]# dnf install samba samba-common samba-client
    Docker CE Stable – x86_64 0.0 B/s | 0 B 00:00
    Errors during downloading metadata for repository ‘docker-ce-stable’:
    – Curl error (77): Problem with the SSL CA cert (path? access rights?) for https://download.docker.com/linux/centos/8/x86_64/stable/repodata/repomd.xml [error setting certificate verify locations:
    CAfile: /etc/pki/tls/certs/ca-bundle.crt
    CApath: none]
    Error: Failed to download metadata for repo ‘docker-ce-stable’: Cannot download repomd.xml: Curl error (77): Problem with the SSL CA cert (path? access rights?) for https://download.docker.com/linux/centos/8/x86_64/stable/repodata/repomd.xml [error setting certificate verify locations:
    CAfile: /etc/pki/tls/certs/ca-bundle.crt
    CApath: none]

    Solution:

    [root@centos-8-slave ~]# ls -lrt /etc/yum.repos.d/*

    -rw-r–r–. 1 root root 1919 Apr 22 10:36 /etc/yum.repos.d/docker-ce.repo
    -rw-r–r–. 1 root root 298 Apr 22 10:41 /etc/yum.repos.d/kubernetes.repo

    1. Just rename or move the docker-ce and Kubernetes repo
    [root@centos-8-slave ~]# mv /etc/yum.repos.d/docker-ce.repo /etc/yum.repos.d/docker-ce.repo_bkp
    [root@centos-8-slave ~]# mv /etc/yum.repos.d/kubernetes.repo /etc/yum.repos.d/kubernetes.repo_bkp

    [root@centos-8-slave ~]# dnf install samba samba-common samba-client
    Last metadata expiration check: 0:08:46 ago on Sat 03 Jun 2023 09:24:50 AM IST.

    Reply
  4. Larry Timmins

    Confirmed list of NSS packages for CentOS7/RHEL7 that impacted Plesk / caused curl 077 errors

    From /var/log/yum.log
    nss-util-3.90.0-1.el7_9.x86_64
    nss-softokn-freebl-3.90.0-6.el7_9.x86_64
    nss-softokn-3.90.0-6.el7_9.x86_64
    nss-sysinit-3.90.0-2.el7_9.x86_64
    nss-3.90.0-2.el7_9.x86_64
    nss-tools-3.90.0-2.el7_9.x86_64
    nss-softokn-freebl-3.90.0-6.el7_9.i686

    Bottom line: After you restarted the php-fpm processes and sw-engine
    (systemctl restart plesk-php* && systemctl restart sw-engine)
    the php curl functions are working again.

    Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

Never again lose customers to poor
server speed! Let us help you.

Privacy Preference Center

Necessary

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

PHPSESSID - Preserves user session state across page requests.

gdpr[consent_types] - Used to store user consents.

gdpr[allowed_cookies] - Used to store user allowed cookies.

PHPSESSID, gdpr[consent_types], gdpr[allowed_cookies]
PHPSESSID
WHMCSpKDlPzh2chML

Statistics

Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

_ga - Preserves user session state across page requests.

_gat - Used by Google Analytics to throttle request rate

_gid - Registers a unique ID that is used to generate statistical data on how you use the website.

smartlookCookie - Used to collect user device and location information of the site visitors to improve the websites User Experience.

_ga, _gat, _gid
_ga, _gat, _gid
smartlookCookie
_clck, _clsk, CLID, ANONCHK, MR, MUID, SM

Marketing

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

IDE - Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.

test_cookie - Used to check if the user's browser supports cookies.

1P_JAR - Google cookie. These cookies are used to collect website statistics and track conversion rates.

NID - Registers a unique ID that identifies a returning user's device. The ID is used for serving ads that are most relevant to the user.

DV - Google ad personalisation

_reb2bgeo - The visitor's geographical location

_reb2bloaded - Whether or not the script loaded for the visitor

_reb2bref - The referring URL for the visit

_reb2bsessionID - The visitor's RB2B session ID

_reb2buid - The visitor's RB2B user ID

IDE, test_cookie, 1P_JAR, NID, DV, NID
IDE, test_cookie
1P_JAR, NID, DV
NID
hblid
_reb2bgeo, _reb2bloaded, _reb2bref, _reb2bsessionID, _reb2buid

Security

These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier to verify if a visitor is human or a bot.

SID, APISID, HSID, NID, PREF
SID, APISID, HSID, NID, PREF