Learn how to fix cURL Error 60 caused by SSL certificate verification failures. This guide explains secure, production-ready solutions using updated CA certificates and modern server configurations.
cURL Error 60 occurs when an application is unable to validate the SSL certificate presented by a remote server. This error is related to trust verification and typically indicates that the local system cannot confirm the authenticity of the certificate chain.
From a security and reliability standpoint, this behavior is expected and desirable. SSL verification exists to protect data integrity and confidentiality. The objective of this guide is to resolve the error without reducing security standards, using practices that are current and suitable for modern production environments.
Prerequisites
Before we begin, let’s ensure we have the following in place:
- A Linux OS installed on dedicated server or KVM VPS.
- A basic programming knowledge.
Learn how to fix cURL Error 60 caused by SSL certificate verification failures.
Step 1: Identify Where the Error Occurs
Before applying any changes, it is important to determine whether the issue originates from:
- System-level cURL
- PHP cURL
- A containerized environment
- A specific application runtime
Run the following command from the server or environment where the issue occurs:
curl -Iv https://example.com
If the output indicates an SSL certificate verification failure, the issue is related to local trust configuration rather than network connectivity or DNS resolution.
If the command succeeds in the terminal but fails in PHP or another runtime, the issue is isolated to that specific environment.
Step 2: Ensure CA Certificates Are Installed and Up to Date
Most modern operating systems rely on a centralized Certificate Authority (CA) store. If this store is missing or outdated, SSL validation fails.
Ubuntu / Debian (2025 LTS and later)
sudo apt update
sudo apt install --reinstall ca-certificates
sudo update-ca-certificates
RHEL / AlmaLinux / Rocky Linux
sudo dnf install ca-certificates
sudo update-ca-trust extract
These commands refresh the trusted CA bundle using the latest maintained sources. After completion, re-test the cURL request.
Step 3: Validate the Remote Server Certificate Chain
If the local CA store is current, the next step is to verify the server’s certificate chain.
Run:
openssl s_client -connect example.com:443 -showcerts
Confirm that:
- The server presents a complete certificate chain
- Intermediate certificates are included
- The chain resolves to a trusted root CA
If intermediate certificates are missing, the correction must be applied on the server side. Client-side workarounds are not appropriate in this scenario.
Step 4: Align PHP cURL With the System CA Store
In modern hosting environments, PHP does not always automatically reference the system CA bundle. This is a frequent cause of Error 60 in web applications.
Locate the active PHP configuration file:
php --ini
Edit the identified php.ini file and ensure the following directives are set:
curl.cainfo="/etc/ssl/certs/ca-certificates.crt"
openssl.cafile="/etc/ssl/certs/ca-certificates.crt"
The file path may differ by distribution. Confirm the correct path exists before saving changes.
Restart the relevant service:
sudo systemctl restart php-fpm
or
sudo systemctl restart apache2
Step 5: Use a Custom CA Bundle in Restricted Environments
In environments where system-level changes are not permitted, such as shared hosting or locked-down containers, a custom CA bundle can be used.
Download the current Mozilla-maintained CA bundle:
https://curl.se/ca/cacert.pem
Store it in a persistent location within the application environment.
Reference it explicitly in the PHP configuration:
curl.cainfo="/path/to/cacert.pem"
openssl.cafile="/path/to/cacert.pem"
This approach preserves SSL verification while restoring certificate trust.
Step 6: Review Container and Cloud Runtime Configurations
For Docker, Kubernetes, or minimal base images, CA certificates may not be installed by default.
Example for Debian-based containers:
RUN apt-get update && apt-get install -y ca-certificates
Ensure CA installation is part of the image build process, not a manual runtime fix.
Step 7: Avoid Disabling SSL Verification in Production
Disabling SSL verification may suppress the error, but it also removes certificate validation entirely. This exposes applications to security risks and compliance issues.
In production environments, SSL verification should always remain enabled. If disabling verification appears necessary, the underlying trust configuration has not been properly addressed.
Step 8: Perform a Final Validation
After applying changes:
curl -Iv https://example.com
php -r "var_dump(curl_version());"
Confirm that:
- SSL verification completes successfully
- PHP and system cURL behave consistently
- No warnings or certificate errors remain
Consistency across environments indicates a correct and durable resolution.
Step 9: Maintain Ongoing SSL Reliability
To prevent recurrence:
- Keep operating systems and containers updated
- Renew SSL certificates before expiration
- Ensure servers always present full certificate chains
- Avoid bundling outdated CA files within applications
Proactive certificate and system maintenance significantly reduces SSL-related incidents.
Summary
cURL Error 60 reflects a certificate trust validation issue, not a software defect. Resolving it correctly strengthens application security and ensures long-term stability.
By maintaining updated CA stores, validating server certificate chains, and aligning application runtimes with trusted sources, this issue can be resolved in a secure and future-ready manner.
