Ca-certificates causes trouble with curl

General system Kernel, boot, graphics & hardware
1

Hello! :slight_smile:

curl -vIL "https://dayz.com/api/article?rowsPerPage=1"

leads to

curl: (60) SSL certificate OpenSSL verify result: unable to get local issuer certificate (20)
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.

I have tried the solutions from

and

with no luck.

Any more ideas?

Cheers!

2

Hi @dexic

So, just to confirm. You tried this and didn’t work ?

sudo pacman -Sw ca-certificates-utils
sudo pacman -U /var/cache/pacman/pkg/ca-certificates-utils-20240618-1-any.pkg.tar.xz
sudo pacman -Syu
3

sudo pacman -U /var/cache/pacman/pkg/ca-certificates-utils-20240618-1-any.pkg.tar.xz
Pakete werden geladen 

Fehler: '/var/cache/pacman/pkg/ca-certificates-utils-20240618-1-any.pkg.tar.xz': Konnte Paket nicht finden oder lesen

4

You need to look at the version number. That can differ. This is not just copy paste command. The original post is from 2022 so the version differs in the example given.

Show the output with right version number.

sudo pacman -Sw ca-certificates-utils

example:

sudo pacman -Sw ca-certificates-utils

[sudo] password for USER: 
resolving dependencies...

Packages (1) ca-certificates-utils-20240618-1

Total Download Size:  0,00 MiB

:: Proceed with download? [Y/n]

this number is important 20240618-1.

What you can do


Copy this line to the terminal.

sudo pacman -U /var/cache/pacman/pkg/ca-certificates-utils-

You hit TAB.

  • The line will be completed automaticly with your version number

Hope this helps.

5

It looks like Arch has killed something

I have followed your instructions to the dot, dotted the I’s and crossed the T’s.

ca-certificates-utils 20240618-1 20240618-1 0,00 MiB

GesamtgrĂ¶ĂŸe der installierten Pakete: 0,01 MiB
GrĂ¶ĂŸendifferenz der Aktualisierung: 0,00 MiB

:: Installation fortsetzen? [J/n]
(1/1) SchlĂŒssel im SchlĂŒsselbund werden geprĂŒft [-------------------------------------------------------------] 100%
(1/1) Paket-IntegritĂ€t wird ĂŒberprĂŒft [-------------------------------------------------------------] 100%
(1/1) Paket-Dateien werden geladen [-------------------------------------------------------------] 100%
(1/1) Auf Dateikonflikte wird geprĂŒft [-------------------------------------------------------------] 100%
:: PaketÀnderungen werden verarbeitet 

(1/1) Reinstalliert wird ca-certificates-utils [-------------------------------------------------------------] 100%
:: Post-transaction-Hooks werden gestartet 

(1/3) Arming ConditionNeedsUpdate...
(2/3) Rebuilding certificate stores...
(3/3) Checking which packages need to be rebuilt
foreign python-backports-zstd

sudo pacman -U /var/cache/pacman/pkg/ca-certificates-utils-20240618-1-any.pkg.tar.xz
Pakete werden geladen 

Fehler: '/var/cache/pacman/pkg/ca-certificates-utils-20240618-1-any.pkg.tar.xz': Konnte Paket nicht finden oder lesen

6

Are you on a device that uses an ARM processor? While Arch’s ARM branch apparently still uses xz, for other architectures Arch switched from xz zstd for their compressed packages since 2020. The correct package is ca-certificates-utils-20240618-1-any.pkg.tar.zst. So the command will be:

sudo pacman -U /var/cache/pacman/pkg/ca-certificates-utils-20240618-1-any.pkg.tar.zst

I don’t know that this will fix your issue, but if you’re not using an ARM device this will at least allow pacman to find the package.

7

Intel processor.

The command you posted didn’t solve it either. Don’t know which wall to hit with my head. :smiley:

8

I didn’t think it would, but trying to manually install an xz archived package when the system uses zstd was probably going to waste a lot more time in this thread trying to solve that.

9

Hi @dexic

At first. It is realy hard to read your text.

When creating a message with output and terminal commands,
Use key Ctrl + e and paste the output.

info: the line below downloads the package.

Asuming you did first

sudo pacman -Sw ca-certificates-utils

After downloading the certificate pkg.tar.xz you can install it with pacman -U

Just to confirm this step 
 Did you do 


Copy this exact line to the terminal. You see no number and pkg.tar.xz, thats right.

sudo pacman -U /var/cache/pacman/pkg/ca-certificates-utils-

After you copied the exact line above, hit the TAB key.

  • The line will be completed automaticly with the right version number

The following question I should have asked at first.

Can you give the output of

sudo pacman -Sw ca-certificates-utils

So we can see the right version you downloaded for installalation.
Though the TAB key auto-complete function is very handy to know :wink:

10

sudo pacman -Sw ca-certificates-utils
[sudo] Passwort fĂŒr ds:
AbhĂ€ngigkeiten werden aufgelöst 


Paket (1) Alte Version Neue Version Netto-VerÀnderung

core/ca-certificates-utils 20240618-1 20240618-1 0,00 MiB

GesamtgrĂ¶ĂŸe des Downloads: 0,00 MiB

:: Download fortsetzen? [J/n]
(1/1) SchlĂŒssel im SchlĂŒsselbund werden geprĂŒft [-------------------------------------------------------------] 100%
(1/1) Paket-IntegritĂ€t wird ĂŒberprĂŒft [-------------------------------------------------------------] 100%

sudo pacman -U /var/cache/pacman/pkg/ca-certificates-utils-20240618-1-any.pkg.tar.zst
Pakete werden geladen 

Warnung: ca-certificates-utils-20240618-1 ist aktuell – Reinstalliere
AbhĂ€ngigkeiten werden aufgelöst 

Nach in Konflikt stehenden Paketen wird gesucht 


Paket (1)              Alte Version  Neue Version  Netto-VerÀnderung

ca-certificates-utils  20240618-1    20240618-1             0,00 MiB

GesamtgrĂ¶ĂŸe der installierten Pakete:  0,01 MiB
GrĂ¶ĂŸendifferenz der Aktualisierung:    0,00 MiB

:: Installation fortsetzen? [J/n]
(1/1) SchlĂŒssel im SchlĂŒsselbund werden geprĂŒft                                                        [-------------------------------------------------------------] 100%
(1/1) Paket-IntegritĂ€t wird ĂŒberprĂŒft                                                                  [-------------------------------------------------------------] 100%
(1/1) Paket-Dateien werden geladen                                                                     [-------------------------------------------------------------] 100%
(1/1) Auf Dateikonflikte wird geprĂŒft                                                                  [-------------------------------------------------------------] 100%
:: PaketÀnderungen werden verarbeitet 

(1/1) Reinstalliert wird ca-certificates-utils                                                         [-------------------------------------------------------------] 100%
:: Post-transaction-Hooks werden gestartet 

(1/3) Arming ConditionNeedsUpdate

(2/3) Rebuilding certificate stores

(3/3) Checking which packages need to be rebuilt
foreign python-backports-zstd

sudo pacman -Sw ca-certificates-utils
AbhĂ€ngigkeiten werden aufgelöst 


Paket (1) Alte Version Neue Version Netto-VerÀnderung

core/ca-certificates-utils 20240618-1 20240618-1 0,00 MiB

GesamtgrĂ¶ĂŸe des Downloads: 0,00 MiB

:: Download fortsetzen? [J/n]
(1/1) SchlĂŒssel im SchlĂŒsselbund werden geprĂŒft [-------------------------------------------------------------] 100%
(1/1) Paket-IntegritĂ€t wird ĂŒberprĂŒft 

curl -vIL ‘https://dayz.com/api/article?rowsPerPage=1’

Host dayz.com:443 was resolved.

IPv6: (none)

IPv4: 104.18.5.17, 104.18.4.17

Trying 104.18.5.17:443


ALPN: curl offers h2,http/1.1

TLSv1.3 (OUT), TLS handshake, Client hello (1):

SSL Trust Anchors:

CAfile: /etc/ssl/certs/ca-certificates.crt

TLSv1.3 (IN), TLS handshake, Server hello (2):

TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):

TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):

TLSv1.3 (IN), TLS handshake, Unknown (25):

TLSv1.3 (IN), TLS handshake, CERT verify (15):

TLSv1.3 (IN), TLS handshake, Finished (20):

TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):

TLSv1.3 (OUT), TLS handshake, Finished (20):

SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519MLKEM768 / id-ecPublicKey

ALPN: server accepted h2

Server certificate:

subject: CN=dayz.com

start date: Apr  2 22:12:06 2026 GMT

expire date: Jul  1 20:07:05 2026 GMT

issuer: C=US; O=“CLOUDFLARE, INC.”; CN=Cloudflare TLS Issuing ECC CA 1

Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA256

Certificate level 1: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA384

Certificate level 2: Public key type EC/secp384r1 (384/192 Bits/secBits), signed using sha256WithRSAEncryption

subjectAltName: “dayz.com” matches cert’s “dayz.com”

OpenSSL verify result: 14

SSL certificate OpenSSL verify result: unable to get local issuer certificate (20)

closing connection #0
curl: (60) SSL certificate OpenSSL verify result: unable to get local issuer certificate (20)
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.

curl -k (no security check)

curl -kIL '``https://dayz.com/api/article?rowsPerPage=1``'
HTTP/2 200
date: Tue, 05 May 2026 20:00:12 GMT
content-type: application/json; charset=utf-8
server: cloudflare
vary: Accept-Encoding
access-control-allow-origin: *
access-control-allow-methods: GET, POST, OPTIONS, PUT, PATCH, DELETE, CONNECT
access-control-allow-headers: X-Requested-With, X-HTTP-Method-Override, Content-Type, Accept
access-control-max-age: 86400
x-content-type-options: nosniff
x-content-type-options: nosniff
x-frame-options: deny
x-frame-options: SAMEORIGIN
x-bohemia-id: dayz-web.api-nodejs
etag: W/"3ceb-sKDgXVDCQrSSM9V1h/qjLcmXEVg"
front-end-https: on
x-xss-protection: 1; mode=block
referrer-policy: origin-when-cross-origin
strict-transport-security: max-age=63072000; includeSubDomains; preload
cf-cache-status: DYNAMIC
cf-ray: 9f7254808ac231bc-STR

11

Hi @dexic,

I’ve reached the limit of what I can help with on this one — sorry I couldn’t get you to the finish line!

The reinstall of ca-certificates-utils did complete successfully, so if the curl error is still happening there may be something deeper going on.

I’d suggest:

That will give others here a better picture to work with. I’m sure someone will be able to pick this up!

Good luck :slightly_smiling_face:

12

curl -vIL “``https://dayz.com/api/article?rowsPerPage=1”``
Warning: The argument '“``https://dayz.com/api/article?rowsPerPage=1”``' starts with a Unicode character. Maybe ASCII was intended?
* URL rejected: Port number was not a decimal number between 0 and 65535
curl: (3) URL rejected: Port number was not a decimal number between 0 and 65535
~ [3]>

trust list | grep -i dayz
~ [0|1]>

13

Try this:

curl -vIL "https://dayz.com/api/article?rowsPerPage=1"

and

trust list | grep -i dayz
14 
curl -vIL "https://dayz.com/api/article?rowsPerPage=1"  
*   Trying 104.18.4.17:443... 
* ALPN: curl offers h2,http/1.1 
* TLSv1.3 (OUT), TLS handshake, Client hello (1): 
* SSL Trust Anchors: 
*   CAfile: /etc/ssl/certs/ca-certificates.crt 
 * Host dayz.com:443 was resolved.  
* IPv6: (none) 
* IPv4: 104.18.4.17, 104.18.5.17 
* TLSv1.3 (IN), TLS handshake, Server hello (2): 
* TLSv1.3 (IN), TLS change cipher, Change cipher spec (1): 
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): 
* TLSv1.3 (IN), TLS handshake, Unknown (25): 
* TLSv1.3 (IN), TLS handshake, CERT verify (15): 
* TLSv1.3 (IN), TLS handshake, Finished (20): 
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): 
* TLSv1.3 (OUT), TLS handshake, Finished (20): 
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519MLKEM768 / id-ecPublicKey 
* ALPN: server accepted h2 
* Server certificate: 
 *   subject: CN=dayz.com  
*   start date: Apr  2 22:12:06 2026 GMT 
*   expire date: Jul  1 20:07:05 2026 GMT 
*   issuer: C=US; O="CLOUDFLARE, INC."; CN=Cloudflare TLS Issuing ECC CA 1 
*   Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA256 
*   Certificate level 1: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA384 
*   Certificate level 2: Public key type EC/secp384r1 (384/192 Bits/secBits), signed using sha256WithRSAEncryption 
 *   subjectAltName: "dayz.com" matches cert's "dayz.com"  
* OpenSSL verify result: 14 
* SSL certificate OpenSSL verify result: unable to get local issuer certificate (20) 
* closing connection #0 
curl: (60) SSL certificate OpenSSL verify result: unable to get local issuer certificate (20) 
 More details here: https://curl.se/docs/sslcerts.html  
 
curl failed to verify the legitimacy of the server and therefore could not 
establish a secure connection to it. To learn more about this situation and 
how to fix it, please visit the webpage mentioned above.

trust list | grep -i dayz 
ds@bluechip ~ [**0|1**]>
15

From what I can gather, the dayz.com website is leveraging Cloudflare’s services:

$ nslookup dayz.com

Non-authoritative answer:
Name:   dayz.com
Address: 104.18.4.17
Name:   dayz.com
Address: 104.18.5.17

$ dig -x 104.18.5.17

; <<>> DiG 9.20.22 <<>> -x 104.18.5.17
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 61599
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;17.5.18.104.in-addr.arpa.      IN      PTR

;; AUTHORITY SECTION:
18.104.in-addr.arpa.    3570    IN      SOA     cruz.ns.cloudflare.com. dns.cloudflare.com. 2288625505 10000 2400 604800 3600

This particular issue with the certificates, looks to be related to the dayz.com website choosing to leverage Cloudflare’s “Universal SSL” service.

Cloudflare users have reported issues with this:

I’m not sure what you can do to fix it on your end, but you can ignore it. In curl, you can use the --insecure flag to ignore the certificate issues:

curl -vIL --insecure "https://dayz.com/api/article?rowsPerPage=1"

DO NOTE that certificate issues should not normally be ignored. They’re the thing that validates trust. An issue usually suggests trust is broken and that you may not be communicating with who you thought you were. So ignore with caution and be extremely mindful of how you engage with anything where trust has been broken.

With respect to the trust list command, the root certificate authority for dayz.com resolves to SSL.com, so you’d actually run:

trust list | grep SSL.com

dayz.com would be using one of these, which I’d expect you’d have installed:

    label: SSL.com Client ECC Root CA 2022
    label: SSL.com Client RSA Root CA 2022

The issuer for those is AAA Certificate Services, which relates to the above Cloudflare community posts, but I haven’t been able to confirm if the issue here is exactly the same as theirs.

16

Do you have an issue if you try other https sites? Is your system time correct?

17

I can replicate the issue @mihalycsaba , so it seems like it’s probably not an isolated issue?

18

So, you are on the right track, but how do I invoke this in a whole script with many curls? Does

--insecure

override every argument one throws at curl in front of --insecure?

curl -vIL --insecure "``https://dayz.com/api/article?rowsPerPage=1``"
* Trying 104.18.5.17:443...
* Host ``dayz.com:443`` was resolved.
* IPv6: (none)
* IPv4: 104.18.5.17, 104.18.4.17
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* SSL Trust: peer verification disabled
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Unknown (25):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519MLKEM768 / id-ecPublicKey
* ALPN: server accepted h2
* Server certificate:
* subject: ``CN=dayz.com``
* start date: Apr 2 22:12:06 2026 GMT
* expire date: Jul 1 20:07:05 2026 GMT
* issuer: C=US; O="CLOUDFLARE, INC."; CN=Cloudflare TLS Issuing ECC CA 1
* Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA256
* Certificate level 1: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA384
* Certificate level 2: Public key type EC/secp384r1 (384/192 Bits/secBits), signed using sha256WithRSAEncryption
* OpenSSL verify result: 14
* SSL certificate verification failed, continuing anyway!
* Established connection to ``dayz.com`` (104.18.5.17 port 443) from 192.168.178.53 port 52612
* using HTTP/2
* [HTTP/2] [1] OPENED stream for ``https://dayz.com/api/article?rowsPerPage=1``
* [HTTP/2] [1] [:method: HEAD]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: ``dayz.com``]
* [HTTP/2] [1] [:path: /api/article?rowsPerPage=1]
* [HTTP/2] [1] [user-agent: curl/8.20.0]
* [HTTP/2] [1] [accept: */*]
> HEAD /api/article?rowsPerPage=1 HTTP/2
> Host: ``dayz.com``
> User-Agent: curl/8.20.0
> Accept: */*
>
* Request completely sent off
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/2 200
HTTP/2 200
< date: Thu, 14 May 2026 06:30:25 GMT
date: Thu, 14 May 2026 06:30:25 GMT
< content-type: application/json; charset=utf-8
content-type: application/json; charset=utf-8
< server: cloudflare
server: cloudflare
< vary: Accept-Encoding
vary: Accept-Encoding
< access-control-allow-origin: *
access-control-allow-origin: *
< access-control-allow-methods: GET, POST, OPTIONS, PUT, PATCH, DELETE, CONNECT
access-control-allow-methods: GET, POST, OPTIONS, PUT, PATCH, DELETE, CONNECT
< access-control-allow-headers: X-Requested-With, X-HTTP-Method-Override, Content-Type, Accept
access-control-allow-headers: X-Requested-With, X-HTTP-Method-Override, Content-Type, Accept
< access-control-max-age: 86400
access-control-max-age: 86400
< x-content-type-options: nosniff
x-content-type-options: nosniff
< x-content-type-options: nosniff
x-content-type-options: nosniff
< x-frame-options: deny
x-frame-options: deny
< x-frame-options: SAMEORIGIN
x-frame-options: SAMEORIGIN
< x-bohemia-id: dayz-web.api-nodejs
x-bohemia-id: dayz-web.api-nodejs
< etag: W/"3ceb-sKDgXVDCQrSSM9V1h/qjLcmXEVg"
etag: W/"3ceb-sKDgXVDCQrSSM9V1h/qjLcmXEVg"
< front-end-https: on
front-end-https: on
< x-xss-protection: 1; mode=block
x-xss-protection: 1; mode=block
< referrer-policy: origin-when-cross-origin
referrer-policy: origin-when-cross-origin
< strict-transport-security: max-age=63072000; includeSubDomains; preload
strict-transport-security: max-age=63072000; includeSubDomains; preload
< cf-cache-status: DYNAMIC
cf-cache-status: DYNAMIC
< cf-ray: 9fb7daa7ffe02c10-STR
cf-ray: 9fb7daa7ffe02c10-STR
<

* Connection #0 to host ``dayz.com:443`` left intact

trust list | grep ``SSL.com``
label:SSL.comClient ECC Root CA 2022
label:SSL.comClient RSA Root CA 2022
label:SSL.comEV Root Certification Authority ECC
label:SSL.comEV Root Certification Authority RSA R2
label:SSL.comRoot Certification Authority ECC
label:SSL.comRoot Certification Authority RSA
label:SSL.comTLS ECC Root CA 2022
label:SSL.com TLS RSA Root CA 2022

19

I have put a -k in between curl and all the other arguments, so now it works. There were 6 curls in that script. Thank you for helping me!

20

I intentionally used --insecure, instead of -k (they do the same thing), because it means in your script, you may be reminded to check the status of that from time to time.

Ideally, you shouldn’t be using it, and having the word “insecure” there is a nice reminder :wink: