Linux SSL Certificate Error Fix

What Does This Error Mean?

SSL certificate errors on Linux occur when a tool like curl, wget, git, or apt cannot verify the SSL certificate of the server it is connecting to. You see messages like 'SSL certificate problem: certificate has expired,' 'unable to get local issuer certificate,' or 'certificate verify failed.' The most common causes are incorrect system date and time, outdated CA certificates package, or a corporate proxy intercepting HTTPS connections.

Affected Models

Ubuntu
Debian
Fedora
CentOS
Arch Linux
Linux Mint
openSUSE

Common Causes

The system date and time is wrong, making valid certificates appear expired or not yet valid
The ca-certificates package is outdated and does not include the certificate authority that signed the server's certificate
A corporate proxy or firewall is performing SSL inspection and presenting its own certificate
The server's SSL certificate has genuinely expired and the server has not renewed it
The system's certificate store is corrupted or has incomplete root certificates

How to Fix It

Fix your system date and time first. Type: timedatectl status — check that the time is correct. Enable NTP time sync: sudo timedatectl set-ntp true — wait a moment and check again.

A clock that is even a few hours off will cause SSL certificates to appear invalid. This is the most common and easiest-to-fix cause.
Update the CA certificates package. On Ubuntu/Debian: sudo apt update && sudo apt install --reinstall ca-certificates && sudo update-ca-certificates — on Fedora/RHEL: sudo dnf update ca-certificates

The ca-certificates package contains the list of trusted certificate authorities. If it is outdated, newer certificates signed by newer authorities will not be trusted.
Test if the certificate problem is on the server or your system. Type: curl -v https://[domain] 2>&1 | grep -E 'certificate|SSL|TLS|expire' — if the output mentions 'certificate has expired,' the server's certificate is the problem, not your system.

If the server's certificate is expired, the website owner needs to renew it. You can only verify the problem from your end.
Add a custom corporate certificate if behind a proxy. If your IT department gave you a .crt certificate file: sudo cp company.crt /usr/local/share/ca-certificates/ — sudo update-ca-certificates

Corporate SSL inspection proxies present their own certificate. Installing the corporate root CA certificate tells your system to trust that proxy's certificates.
For git specifically, if a repository server has a self-signed certificate: git config --global http.sslVerify false — WARNING: only use this as a temporary measure for testing. Re-enable verification after fixing the certificate issue.

Permanently disabling SSL verification is a security risk. Use it only temporarily to confirm the SSL certificate is the actual problem.

When to Call a Professional

If you are in a corporate environment and SSL errors appear across all HTTPS connections, your IT department has likely deployed an SSL inspection proxy. They can provide the corporate root certificate to install on your machine to restore trust.

Frequently Asked Questions

What is a CA certificate and why does Linux need it?

A CA (Certificate Authority) certificate is the root certificate of an organization that is trusted to vouch for other certificates. When a website presents its SSL certificate, your system checks whether it was signed by a trusted CA. Linux keeps a list of trusted CAs in the ca-certificates package. If the CA that signed a server's certificate is not in that list, Linux rejects the connection as untrusted.

Is it safe to disable SSL verification?

No. Disabling SSL certificate verification means your connection is no longer verified as going to the correct server. A man-in-the-middle attacker could intercept your connection and you would not know. Only disable verification temporarily in isolated test environments, never on production systems or with connections that involve passwords or sensitive data.

Git clone fails with SSL errors. Is there a fix that does not disable verification?

Yes. If the server uses a self-signed certificate, add that specific certificate as trusted for git: git config --global http.sslCAInfo /path/to/server-cert.pem This trusts the specific certificate without disabling verification globally. For a missing intermediate certificate, the server administrator needs to configure their web server to serve the full certificate chain.