Why won't curl recognise a self-signed SSL certificate?

If we use cURL to retrieve a HTTPS site that is not using a CA-signed certificate, the following problem occurs:

curl https://example.selfip.comcurl: (60) SSL certificate problem, verify that the CA cert is OK. Details:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failedMore details here: http://curl.haxx.se/docs/sslcerts.html

While we can simply overcome this using the -k option, there's a safer and lasting solution, i.e.:

Step 1
Identify which directory your OpenSSL installation uses.

openssl version -dOPENSSLDIR: "/usr/lib/ssl"

Step 2
Change to that directory and list the directory contents. You should see a directory called certs.

cd /usr/lib/ssl && ls -al

Step 3
Change to that directory.

cd certs

List the directory contents. You should see from the symlinks that the certificates are actually stored in /usr/share/ca-certificates.

Step 4
Change to /usr/share/ca-certificates directory and add you self-signed certificate there, (ex: your.cert.name.crt)

Step 5
Change to /etc directory and edit the file ca-certificates.conf.

root@ubuntu:# cd /etcroot@ubuntu:# nano ca-certificates.conf

Add your.cert.name.crt to the file (ca-certificates.conf) and save it.

Last Step:

Execute the program update-ca-certificates –fresh.
Note: You might like to backup /etc/ssl/certs before executing the command.

root@ubuntu:# update-ca-certificates --freshClearing symlinks in /etc/ssl/certs...done.Updating certificates in /etc/ssl/certs....done.Running hooks in /etc/ca-certificates/update.d....done.

Test with curl on your target HTTPS site and it should work now.

Source