How do I check if a certificate is expired?

Run: openssl s_client -connect host:443 2>/dev/null | openssl x509 -noout -dates — shows notBefore and notAfter dates.

Why does git fail with SSL certificate problem?

Git uses the system CA bundle. Update ca-certificates package, or set GIT_SSL_CAINFO to point to the correct CA bundle.

Linux SSL/TLS Certificate Errors — Expired, Self-Signed & Chain Issues

Warningsecurity

About Linux SSL/TLS Certificate Errors

Fix Linux SSL/TLS errors including certificate expired, unable to verify certificate chain, self-signed certificate rejection, and CA bundle configuration. This guide covers everything you need to know about this topic, including common causes, step-by-step solutions, and answers to frequently asked questions.

Here are the key things to understand: Certificate errors from curl, wget, git, and other tools indicate TLS verification failure. Common: 'SSL certificate problem: unable to get local issuer certificate'. CA certificates are stored in /etc/ssl/certs/ or /etc/pki/tls/certs/ depending on distro. Let's Encrypt certificates require the ISRG Root X1 CA in the trust store. Self-signed certificates are rejected by default — must be explicitly trusted. Understanding these fundamentals will help you diagnose and resolve this issue more effectively.

The most common reasons this occurs include: System CA certificate bundle outdated (missing newer CAs). Clock significantly wrong causing valid certificates to appear expired. Corporate proxy with MITM certificate not in the trust store. Self-signed certificate used on server. Intermediate certificate missing from server configuration (incomplete chain). Identifying the root cause is the first step toward finding the right solution.

To resolve this, follow these recommended steps: Update CA certificates: sudo apt install --reinstall ca-certificates (Debian/Ubuntu) or sudo yum reinstall ca-certificates (RHEL). Check system time: date — fix with: sudo timedatectl set-ntp true. Test certificate: openssl s_client -connect hostname:443 -showcerts. Add custom CA: copy cert to /usr/local/share/ca-certificates/ then sudo update-ca-certificates. For curl specifically: curl --cacert /path/to/ca-bundle.crt URL. If these steps do not resolve the issue, consider consulting additional resources or a qualified professional.

This article is part of our Linux Error Codes collection on Error Codes Wiki. We provide comprehensive, up-to-date information to help you find solutions quickly.

Quick Answer

Should I use --insecure or -k to bypass certificate errors?

Only for testing. Never in production. Fix the root cause: update CA certs, fix clock, or add the correct CA to your trust store.

Overview

Fix Linux SSL/TLS errors including certificate expired, unable to verify certificate chain, self-signed certificate rejection, and CA bundle configuration.

Key Details

Certificate errors from curl, wget, git, and other tools indicate TLS verification failure
Common: 'SSL certificate problem: unable to get local issuer certificate'
CA certificates are stored in /etc/ssl/certs/ or /etc/pki/tls/certs/ depending on distro
Let's Encrypt certificates require the ISRG Root X1 CA in the trust store
Self-signed certificates are rejected by default — must be explicitly trusted

Common Causes

System CA certificate bundle outdated (missing newer CAs)
Clock significantly wrong causing valid certificates to appear expired
Corporate proxy with MITM certificate not in the trust store
Self-signed certificate used on server
Intermediate certificate missing from server configuration (incomplete chain)

Steps

1Update CA certificates: sudo apt install --reinstall ca-certificates (Debian/Ubuntu) or sudo yum reinstall ca-certificates (RHEL)
2Check system time: date — fix with: sudo timedatectl set-ntp true
3Test certificate: openssl s_client -connect hostname:443 -showcerts
4Add custom CA: copy cert to /usr/local/share/ca-certificates/ then sudo update-ca-certificates
5For curl specifically: curl --cacert /path/to/ca-bundle.crt URL