Are you facing a curl error 77 problem with the SSL CA cert while curling an SSL website?

One of the main reasons for this error is that the SSL chain certificate files on the server are broken or missing.

At Bobcares, we help our customers fix similar SSL errors as part of our Server Management Services.

Today, let’s discuss the details of how to fix this error.

What is curl error 77 problem with the SSL CA cert?

Curl error 77 error is a server-side error.  This error indicated that the chain certificate files are missing or “broken”. Usually, this error happens simply by outdated SSL certificate(s) for cURL installed on the server.  Also, the wrong or incomplete configuration settings on the server can trigger an error on the website.

The error looks like,

Frequently, some websites’ PHP scripts may fail with curl error 77 in Plesk servers.  Then the website shows the following error:

cURL error (77): Problem with the SSL CA cert (path? access rights?)cURL error (77): Problem with the SSL CA cert (path? access rights?)

This error occurs when PHP cURL uses an outdated set of root certificates to verify server certificates.

How to Fix Curl Error 77

1. First, check if the necessary CA certificate files exist on the server. The critical files are:
   • /etc/pki/tls/certs/ca-bundle.crt
   • /etc/pki/tls/certs/ca-bundle.trust.crt

   Then, run this command to verify their existence:

   ls -l /etc/pki/tls/certs/ca-bundle.crt
ls -l /etc/pki/tls/certs/ca-bundle.trust.crt

   If these files are missing or corrupted, we have to restore them.
2. If the CA certificate files are corrupted or missing, we can remove and reinstall the CA certificates using the following commands:

   
# Remove the existing CA bundle
rm -f /etc/ssl/certs/ca-bundle.crt

   • For CentOS or RHEL, run:

     yum update ca-certificates
   • For Ubuntu or Debian, use:

     apt-get update

   Then, run this command:

   apt-get install --reinstall ca-certificates
3. For Plesk servers, we have to update the configuration to resolve cURL error 77. Add the following configuration to the panel.ini file. The default path for Plesk is:

   %plesk_dir% = C:\Program Files (x86)\Plesk\

   Add this section to %plesk_dir%admin\conf\panel.ini:

   curlCertificatesUrl="http://curl.haxx.se/ca/cacert.pem"

   This setting directs Plesk to use the specified URL for the CA certificates.
4. Sometimes, cURL requests may fail for cPanel users while the root user can execute them without issues.

   To resolve this, ensure that the user has the necessary permissions to access the /etc/pki directory. We can check the permissions using:

   ls -ld /etc/pki

   If the user has jailed SSH access, we can grant them full access or adjust their permissions accordingly. We can change the permissions with:

   chmod 755 /etc/pki
5. If we are using PHP, make sure that the curl.cainfo directive in the php.ini file is correctly set to point to the CA bundle. Open the php.ini file and add or modify the following line:

   curl.cainfo="/etc/ssl/certs/ca-bundle.crt"

   If we are on shared hosting, you may also need to add this line to the .user.ini file located in the public_html folder.
6. After making changes to SSL configurations or updating packages, it’s essential to restart the PHP and web server services to apply the changes.
7. Sometimes, the symbolic link to the CA bundle might be missing or broken. We can check and create it as follows:

   # Check if the symlink exists
ls -l /etc/pki/tls/certs/ca-bundle.crt
# If it does not exist, create it
ln -s /etc/ssl/certs/ca-bundle.crt /etc/pki/tls/certs/ca-bundle.crt

8. If we are using tools like Composer and encountering cURL error 77, make sure that we have the latest version of Composer installed. We can download it from the official site:

   php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
php composer-setup.php --install-dir=/usr/local/bin –filename=composer

9. If we are using a system that relies on NSS, it has to be properly installed and updated. We can update NSS with:

   yum update nss

Alternative Solution

If we still see cURL error 77, a firewall or security software may be blocking cURL requests. Here’s how to check and fix this:

1. Turn off the firewall to see if it fixes the error:
   • For Linux (Ubuntu/Debian):

     sudo ufw disable
   • For Linux (CentOS/RHEL):

     sudo systemctl stop firewalld
   • For Windows:

     First, open Windows Defender Firewall, go to “Inbound Rules” and “Outbound Rules,” right-click each rule, and select “Disable Rule.”

     After this, run the cURL command again.
2. Additionally, look at the antivirus or anti-malware settings. Make sure they are not blocking cURL.
3. Add cURL or the URL we want to access to the whitelist in the security software.
4. Make sure the security software is up to date.
5. Open the software, check for updates, and install them. Restart the system afterward.
6. As a last resort, turn off the security software to see if it helps.
7. Open the software, find the option to disable protection, and apply the changes. Restart if needed.

Preventing cURL Error 77

• Keep the CA certificates up to date to avoid issues with outdated or missing certificates.
• Regularly check for system updates, especially for NSS and CA certificates, to prevent potential issues.
• Ensure the firewall and security software allow cURL requests without interference by creating necessary exceptions.
• Restart relevant services after updates to ensure they are using the latest configurations.
• Specify the CA certificate file with the –cacert option in cURL to help it locate the correct certificate.
• Verify that the permissions for CA certificate files and directories are correctly set for the user running cURL.
• Set up monitoring for SSL/TLS configurations and cURL operations to receive alerts about any failures or issues.

Other common SSL certificate problem

Similarly, the error SSL certificate problem: Unable to get local issuer certificate can occur when a self-signed certificate cannot be verified or it shows that the root certificates on the system are not working correctly.

Also, It is important to note that this applies to the system sending the CURL request, and NOT the server receiving the request.

To fix the error,

1. Initially, download cacert.pem. from https://curl.haxx.se/ca/cacert.pem

2. Add the following line to php.ini:

curl.cainfo="/path/to/downloaded/cacert.pem"

Furthermore, if the server is shared hosting, add the above value to .user.ini file in the public_html folder.

3. Restart PHP

Now, CURL is able to read HTTPS URL without any error.

[Need assistance to fix curl error 77?- We’re available 24/7.]

Conclusion

In short, the curl error 77 problem with the SSL CA cert occurs when SSL chain certificate files are missing or broken. Today, we saw how our Support Engineers fixed this error.