I'm working with Symfony 5 and I need to install 'knplabs/knp-snappy-bundle' with composer but I have this message:
[Composer\Downloader\TransportException]
curl error 60 while downloading https://repo.packagist.org/packages.json: SSL certificate problem: self signed certificate in certificate chain
please help me
I tried to add cacert.pem into my php.ini with
curl.cainfo ="C:/wamp64/bin/php/php7.3.21/extras/ssl/cacert.pem"
I tried to disable the verify_peer in my composer.json and nothing is working.
this is my composer diag :
Checking composer.json: WARNING
require.composer/package-versions-deprecated : exact version constraints (1.11.99.1) should be avoided if the package follows semantic versioning
Checking platform settings: OK
Checking git settings: OK
Checking http connectivity to packagist: OK
Checking https connectivity to packagist: FAIL
[Composer\Downloader\TransportException] curl error 60 while downloading https://repo.packagist.org/packages.json: SSL certificate problem: self signed certificate in certificate chain
Checking github.com rate limit: FAIL
[Composer\Downloader\TransportException] curl error 60 while downloading https://api.github.com/rate_limit: SSL certificate problem: self signed certificate in certificate chain
Checking disk free space: OK
Checking pubkeys:
Tags Public Key Fingerprint: 57815BA2 7E54DC31 7ECC7CC5 573090D0 87719BA6 8F3BB723 4E5D42D0 84A14642
Dev Public Key Fingerprint: 4AC45767 E5EC2265 2F0C1167 CBBB8A2B 0C708369 153E328C AD90147D AFE50952
OK
Checking composer version: FAIL
[Composer\Downloader\TransportException] curl error 60 while downloading https://getcomposer.org/versions: SSL certificate problem: self signed certificate in certificate chain
Composer version: 2.0.13
PHP version: 7.3.21
PHP binary path: C:\wamp64\bin\php\php7.3.21\php.exe
OpenSSL version: OpenSSL 1.1.1g 21 Apr 2020
cURL version: 7.70.0 libz 1.2.11 ssl OpenSSL/1.1.1g
zip: extension present, unzip present
please help me
may be my composer config have a problem
"config": {
"optimize-autoloader": true,
"preferred-install": {
"*": "dist"
},
"sort-packages": true,
"options": {
"ssl": {
"verify_peer": false,
"allow_self_signed": false,
"cafile": "C:/wamp64/bin/php/php7.3.21/extras/ssl/cacert.pem",
"local_cert": "C:/wamp64/bin/php/php7.3.21/extras/ssl/cacert.pem"
}
}
},
This configuration option: allow_self_signed comes from nowhere, it has no effect; It doesn't even appear in the documentation of composer.
I lost hours of precious time due to this misleading option.
If you have a similar problem I would recommend to use the latest version of PHP (that meets your requirements, obviously) and the latest composer version, etc. Works for me, but YMMV.
When using curl on my server to access my other servers, I get this response:
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
Using curl from my local machine or opening the same URL in the browser displays the certificate as valid. The problem seems to be due to letsencrypt shutting down support for an older root certificate. But I am just not able to update the trusted root certificates of the server.
I tried update-ca-certificates -f -v and manually downloading the updated root certificates via wget https://curl.se/ca/cacert.pem -O /etc/ssl/certs/cacert.pem but nothing works.
Any ideas?
As the information is not enough, I cannot confirm the cause, but you may try the following steps to remove the old Let'sEncrypt CA:
Check DST Root is in /etc/pki/tls/certs/ca-bundle.crt, and ISRG Root
X1 is in ISRG Root X1.
Copy the "# DST Root CA X3" section into /etc/pki/ca-trust/source/blacklist directory as pem file
run update-ca-trust
Check DST Root is no longer in
/etc/pki/tls/certs/ca-bundle.crt, and ISRG Root X1 is in ISRG Root
X1.
This may be late.
But recently I faced this issue
In my case, the system time was set to 2012 for somereason!!
I just fixed it by synchronizing the time:
timedatectl set-ntp true
Suddenly, curl works.
In fact I wasn't trying curl itself, I was trying to install composer on centos 7 when this error appeared, but now everything is great.
Stupid error took me a whole day to fix!
I am using Windows 10 and composer is installed. When I try to install laravel installer globally using this command:
composer global require laravel/installer
[Composer\Downloader\TransportException]
The "https://repo.packagist.org/packages.json" file could not be downloaded:
failed to open stream: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
It means package not downloaded. I am not using any proxy server.
Composer diagnose result is listed below:
Checking platform settings: OK
Checking git settings: OK
Checking http connectivity to packagist:
[Composer\Downloader\TransportException] The "http://repo.packagist.org/packages.json" file could not be downloaded: failed to open stream: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
Checking https connectivity to packagist:
[Composer\Downloader\TransportException] The "https://repo.packagist.org/packages.json" file could not be downloaded: failed to open stream: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
Checking github.com rate limit: FAIL
[Composer\Downloader\TransportException] The
"https://api.github.com/rate_limit" file could not be downloaded: failed to
open stream: A connection attempt failed because the connected party did not
properly respond after a period of time, or established connection failed
because connected host has failed to respond.
Checking disk free space: OK
Checking pubkeys:
Tags Public Key Fingerprint: 57815BA2 7E54DC31 7ECC7CC5 573090D0 87719BA6 8F3BB723 4E5D42D0 84A14642
Dev Public Key Fingerprint: 4AC45767 E5EC2265 2F0C1167 CBBB8A2B 0C708369 153E328C AD90147D AFE50952 OK
Checking composer version: OK
Composer version: 1.8.0
PHP version: 7.2.1
PHP binary path: E:\xampp\php\php.exe
To resolve this, configure composer to use the https repository by running the following command on the cli before installing Laravel
composer config -g repo.packagist composer https://packagist.org
Do you use any antivirus?
If yes try to disable then check.
Sometime Mcafe prevent to download packagist.
The following steps will fix most "packages.json file could not be downloaded" issue with Composer:
Verify your firewall setting. Disable Firewall for starters
Enable PHP OpenSSL Extension
Enable PHP allow_url_fopen directive
Note: Make sure you are working with the right PHP version and Environment (apache, CLI, etc.) when you modify the php.ini file.
I believe you are facing the same issue as this and
this. Composer recommends the following:
We recommend you fix your IPv6 setup. If that is not possible, you can try the following workarounds:
sadly, for the Windows workaround it says that if your setup cannot be fixed or if that didn't solve the issue then you should outright disable IPv6 which is a common answer and is also suggested here (however the video has been deleted so I've made this post to have a reliable answer).
(I've purposely aligned the windows as such so you can see the steps to the screen)
Open Control Panel
Navigate to Network and Internet
Click on Network and Sharing Centre
On the left hand side of the window click on Change adapter settings
Find your adapter and open the properties by right clicking on it
Find Internet Protocol Version 6 (TCP/IPv6) and uncheck it
Click OK
Edit #1
What is suggested here is:
Install a Windows level VPN or proxy switcher that acts as the default route if you need to change your IP (effectively). Try CyberGhost
and that seemed to solve the issue for the OP.
I noticed this is also happening when changing networks (moving from office to office for example).
How I managed to solve it is to restart the docker container.
I had this situation happening 2 times already and the same solution helped.
All you need to do is to run your cmd/git as Administrator, no need to uninstall anything.
This problem seems to be common, and i've been through a lot of SO posts related to it and nothing works, and i'm going crazy. Whats weird is that it was working perfectly few weeks ago, and i didnt install anything new since months...
Setup :
PHP 7.1.9
WAMPSERVER 3.1.0
APACHE 2.4.27
Composer 1.6.5 (latest)
I'm not behind a proxy & no firewall
Windows 10
What Works :
composer self-update
What does not work :
Installing a package
I cannot reach https://packagist.org/ with firefox 61.0.1 (64bits) (unsecure connection : MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT)
The error i get with composer require :
[Composer\Downloader\TransportException]
The "https://packagist.org/packages.json" file could not be downloaded: SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Failed to enable crypto
failed to open stream: operation failed
php -r "var_dump(openssl_get_cert_locations());" Returns this :
array(8) {
["default_cert_file"]=>
string(25) "c:/usr/local/ssl/cert.pem"
["default_cert_file_env"]=>
string(13) "SSL_CERT_FILE"
["default_cert_dir"]=>
string(22) "c:/usr/local/ssl/certs"
["default_cert_dir_env"]=>
string(12) "SSL_CERT_DIR"
["default_private_dir"]=>
string(24) "c:/usr/local/ssl/private"
["default_default_cert_area"]=>
string(16) "c:/usr/local/ssl"
["ini_cafile"]=>
string(51) "C:/wamp64/bin/php/php7.1.9/extras/ssl/ca-bundle.crt"
["ini_capath"]=>
string(0) ""
}
I've downloaded the ca-bundle.crt and added it to my php.ini file :
curl.cainfo=C:/wamp64/bin/php/php7.1.9/extras/ssl/ca-bundle.crt
openssl.cafile=C:/wamp64/bin/php/php7.1.9/extras/ssl/ca-bundle.crt
Composer diagnose returns this :
Checking composer.json: OK
Checking platform settings: OK
Checking git settings: OK
Checking http connectivity to packagist: WARNING
[Composer\Downloader\TransportException] The "http://packagist.org/packages.json" file could not be downloaded (HTTP/1.1 404 Not Found)
Checking https connectivity to packagist: WARNING
[Composer\Downloader\TransportException] The "https://packagist.org/packages.json" file could not be downloaded: SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Failed to enable crypto
failed to open stream: operation failed
Checking github.com rate limit: OK
Checking disk free space: OK
Checking pubkeys: OK
Checking composer version: OK
Composer version: 1.6.5
PHP version: 7.1.9
PHP binary path: C:\wamp64\bin\php\php7.1.9\php.exe
composer show -p -vvv | grep ssl returns this :
Reading ./composer.json
Loading config file ./composer.json
Checked CA file C:\wamp64\bin\php\php7.1.9\extras\ssl\ca-bundle.crt: valid
Executing command (C:\wamp64\www\projectName): git branch --no-color --no-abbrev -v
Failed to initialize global composer: Composer could not find the config file: C:/Users/********/AppData/Roaming/Composer/composer.json
To initialize a project, please create a composer.json file as described in the https://getcomposer.org/ "Getting Started" section
Reading C:\wamp64\www\projectName/vendor/composer/installed.json
Loading plugin PackageVersions\Installer
Loading plugin Symfony\Flex\Flex
Composer >=1.7 not found, downloads will happen in sequence
Running 1.6.5 (2018-05-04 11:44:59) with PHP 7.1.9 on Windows NT / 10.0
ext-openssl 7.1.9 The openssl PHP extension
lib-openssl 1.0.2.11 OpenSSL 1.0.2k 26 Jan 2017
php --ini :
Configuration File (php.ini) Path: C:\WINDOWS
Loaded Configuration File: C:\wamp64\bin\php\php7.1.9\php.ini
Scan for additional .ini files in: (none)
Additional .ini files parsed: (none)
EDIT 1
- Tried emptying cache
- Other web browser (chrome, edge) and it didnt work
- Another computer on same network --> it works
EDIT 2
- Created a new windows user, didnt work
EDIT 3
- I can reach https://repo.packagist.org/ as suggested by #kallosz
- Curl gives me this :
curl -vvv https://packagist.org/
* Trying 144.217.203.53...
* TCP_NODELAY set
* Connected to packagist.org (144.217.203.53) port 443 (#0)
* schannel: SSL/TLS connection with packagist.org port 443 (step 1/3)
* schannel: checking server certificate revocation
* schannel: sending initial handshake data: sending 178 bytes...
* schannel: sent initial handshake data: sent 178 bytes
* schannel: SSL/TLS connection with packagist.org port 443 (step 2/3)
* schannel: failed to receive handshake, need more data
* schannel: SSL/TLS connection with packagist.org port 443 (step 2/3)
* schannel: encrypted data got 1462
* schannel: encrypted data buffer: offset 1462 length 4096
* schannel: next InitializeSecurityContext failed: SEC_E_UNTRUSTED_ROOT (0x80090325) - La chaîne de certificats a été fournie par une autorité qui n'est pas approuvée.
* Closing connection 0
* schannel: shutting down SSL/TLS connection with packagist.org port 443
* schannel: clear security context handle
curl: (77) schannel: next InitializeSecurityContext failed: SEC_E_UNTRUSTED_ROOT (0x80090325)
try
composer config disable-tls true
composer config secure-http false
you can also change composer config repositories.packagist.org.url to https?://repo.packagist.org.
I had to change the global config file
C:\Users\USERNAME\AppData\Roaming\Composer\config.json
to this:
{
"config": {
"disable-tls": true,
"secure-http": false
},
"repositories": [
{
"type": "composer",
"url": "http://repo.packagist.org"
}
]
}
I had to reinstall CURL development libraries on Ubuntu, i.e. replace NSS flavor to OpenSSL one:
sudo apt install -y libcurl4-openssl-dev
The rebuilding PHP with phpbrew resulted in libcurl enabled with appropriate library call; which, in turn, recognized CA certificates bundle correctly, pointing it to the right location.
I am getting the following error using curl:
curl: (77) error setting certificate verify locations:
CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
How do I set this certificate verify locations?
I also had the newest version of ca-certificates installed but was still getting the error:
curl: (77) error setting certificate verify locations:
CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
The issue was that curl expected the certificate to be at the path /etc/pki/tls/certs/ca-bundle.crt but could not find it because it was at the path /etc/ssl/certs/ca-certificates.crt.
Copying my certificate to the expected destination by running
sudo cp /etc/ssl/certs/ca-certificates.crt /etc/pki/tls/certs/ca-bundle.crt
worked for me. You will need to create folders for the target destination if they do not exist by running
sudo mkdir -p /etc/pki/tls/certs
If needed, modify the above command to make the destination file name match the path expected by curl, i.e. replace /etc/pki/tls/certs/ca-bundle.crt with the path following "CAfile:" in your error message.
This error is related to a missing package: ca-certificates. Install it.
In Ubuntu Linux (and similar distro):
# apt-get install ca-certificates
In CygWin via Apt-Cyg
# apt-cyg install ca-certificates
In Arch Linux (Raspberry Pi)
# pacman -S ca-certificates
The documentation tells:
This package includes PEM files of CA certificates to allow SSL-based applications to check for the authenticity of SSL connections.
As seen at: Debian -- Details of package ca-certificates in squeeze
Put this into your .bashrc
# fix CURL certificates path
export CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
(see comment from Robert)
Create a file ~/.curlrc with the following content
cacert=/etc/ssl/certs/ca-certificates.crt
as follows
echo "cacert=/etc/ssl/certs/ca-certificates.crt" >> ~/.curlrc
The quickest way to get around the error is add on the -k option somewhere in your curl request. That option "allows connections to SSL cites without certs." (from curl --help)
Be aware that this may mean that you're not talking to the endpoint you think you are, as they are presenting a certificate not signed by a CA you trust.
For example:
$ curl -o /usr/bin/apt-cyg https://raw.github.com/cfg/apt-cyg/master/apt-cyg
gave me the following error response:
curl: (77) error setting certificate verify locations:
CAfile: /usr/ssl/certs/ca-bundle.crt
CApath: none
I added on -k:
curl -o /usr/bin/apt-cyg https://raw.github.com/cfg/apt-cyg/master/apt-cyg -k
and no error message. As a bonus, now I have apt-cyg installed. And ca-certificates.
From $ man curl:
--cert-type <type>
(SSL) Tells curl what certificate type the provided certificate
is in. PEM, DER and ENG are recognized types. If not specified,
PEM is assumed.
If this option is used several times, the last one will be used.
--cacert <CA certificate>
(SSL) Tells curl to use the specified certificate file to verify
the peer. The file may contain multiple CA certificates. The
certificate(s) must be in PEM format. Normally curl is built to
use a default file for this, so this option is typically used to
alter that default file.
#roens is correct. This affects all Anaconda users, with below error
curl: (77) error setting certificate verify locations:
CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
The workaround is to use the default system curl and avoid messing with the prepended Anaconda PATH variable. You can either
Rename the Anaconda curl binary :)
mv /path/to/anaconda/bin/curl /path/to/anaconda/bin/curl_anaconda
OR remove Anaconda curl
conda remove curl
$ which curl
/usr/bin/curl
[0] Anaconda Ubuntu curl Github issue https://github.com/conda/conda-recipes/issues/352
If anyone is still having trouble, try this, it worked for me.
Delete the files in your /etc/ssl/certs/ directory
then reinstall ca-certificates:
sudo apt install ca-certificates --reinstall
Did this when I tried installing Linuxbrew.
Another alternative to fix this problem is to disable the certificate validation:
echo insecure >> ~/.curlrc
For PHP code running on XAMPP on Windows I found I needed to edit php.ini to include the below
[curl]
; A default value for the CURLOPT_CAINFO option. This is required to be an
; absolute path.
curl.cainfo = curl-ca-bundle.crt
and then copy to a file https://curl.haxx.se/ca/cacert.pem and rename to curl-ca-bundle.crt and place it under \xampp path (I couldn't get curl.capath to work). I also found the CAbundle on the cURL site wasn't enough for the remote site I was connecting to, so used one that is listed with a pre-compiled Windows version of curl 7.47.1 at http://winampplugins.co.uk/curl/
I had the exact same problem. As it turns out, my /etc/ssl/certs/ca-certificates.crt file was malformed. The last entry showed something like this:
-----BEGIN CERTIFICATE-----
MIIEDTCCAvWgAwIBAgIJAN..lots of certificate text....AwIBAgIJAN-----END CERTIFICATE-----
After adding a newline before -----END CERTIFICATE-----, curl was able handle the certificates file.
This was very annoying to find out since my update-ca-certificates command did not give me any warning.
This may or may not be a version specific problem of curl, so here is my version, just for completeness:
curl --version
# curl 7.51.0 (x86_64-alpine-linux-musl) libcurl/7.51.0 OpenSSL/1.0.2j zlib/1.2.8 libssh2/1.7.0
# Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
# Features: IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP UnixSockets
This worked for me
sudo apt-get install ca-certificates
then go into the certificates folder at
sudo cd /etc/ssl/certs
then you copy the ca-certificates.crt file into the /etc/pki/tls/certs
sudo cp ca-certificates.crt /etc/pki/tls/certs
if there is no tls/certs folder: create one and change permissions using chmod 777 -R folderNAME
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). The default
bundle is named curl-ca-bundle.crt; you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
for example
curl --insecure http://........
It seems your curl points to a non-existing file with CA certs or similar.
For the primary reference on CA certs with curl, see: https://curl.haxx.se/docs/sslcerts.html
Just create the folders, which is missing in your system..
/etc/pki/tls/certs/
and create the file using the following command,
sudo apt-get install ca-certificates
and then copy and paste the certificate to the destination folder, which is showing in your error.. mine was " with message 'error setting certificate verify locations: CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none' in " make sure you paste the file to the exact location mentioned in the error. Use the following command to copy paste..
sudo cp /etc/ssl/certs/ca-certificates.crt
/etc/pki/tls/certs/ca-bundle.crt
Fixed.
I've got the same problem : I'm building a alpine based docker image, and when I want to curl to a website of my organisation, this error appears. To solve it, I have to get the CA cert of my company, then, I have to add it to the CA certs of my image.
Get the CA certificate
Use OpenSSL to get the certificates related to the website :
openssl s_client -showcerts -servername my.company.website.org -connect my.company.website.org:443
This will output something like :
CONNECTED(00000005)
depth=2 CN = UbisoftRootCA
verify error:num=19:self signed certificate in certificate chain
...
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
...
Get the last certificate (the content between the -----BEGIN CERTIFICATE----- and the
-----END CERTIFICATE----- markups included) and save it into a file (mycompanyRootCA.crt for example)
Build your image
Then, when you'll build your docker image from alpine, do the following :
FROM alpine
RUN apk add ca-certificates curl
COPY mycompanyRootCA.crt /usr/local/share/ca-certificates/mycompanyRootCA.crt
RUN update-ca-certificates
Your image will now work properly ! \o/
I came across this curl 77 problem while was trying to access elasticsearch running in docker container on Ubuntu 20.04 localhost. Afrer container was started:
Check curl without ssl: curl --cacert http_ca.crt -u elastic https://localhost:9200 -k lowercase -k for insecure connection.
Check curl configs: curl-config --configure, noticed what is ca-bundle: --with-ca-bundle=/etc/ssl/certs/ca-certificates.crt.
Copy http_ca.crt file from container to:/usr/local/share/ca-certificates/, original command is here.
Run update on ca-certificates: sudo update-ca-certificates.
Run curl: curl -u elastic:<password> https://localhost:9201.
Finally got response with "tagline" : "You Know, for Search".
Change <password> to the one that was generated when Docker Image was run.
Also notice that on my machine elastic was started on port 9201 (don't know why: sudo ss -tlpn | grep 9200 gives me nothing), I have found the port with: sudo netstat -ntlp and Programm name was docker-proxy.
For what it's worth, checking which curl is being run is significant too.
A user on a shared machine I maintain had been getting this error. But the cause turned out to be because they'd installed Anaconda (http://continuum.io). Doing so put Anaconda's binary path before the standard $PATH, and it comes with its own curl binary, which had trouble finding the default certs that were installed on this Ubuntu machine.
Just find this solution works perfectly for me.
echo 'cacert=/etc/ssl/certs/ca-certificates.crt' > ~/.curlrc
I found this solution from here
Run following command in git bash that works fine for me
git config --global http.sslverify "false"
I use MobaXterm which intern uses Cygwin so even after installing ca-certificates using apt-cyg install ca-certificates problem didn't resolve.
I was still getting the following error:
curl: (77) error setting certificate verify locations: CAfile: /etc/ssl/certs/ca-certificates.crt CApath: none
Then I tried listing the file /etc/ssl/certs/ca-certificates.crt and I couldn't find it. However I could find /usr/ssl/certs/ca-bundle.crt with all standard CA certificates so I copied the file /usr/ssl/certs/ca-bundle.crt as /etc/ssl/certs/ca-certificates.crt and problem got resolved.
I had this problem as well. My issue was this file:
/usr/ssl/certs/ca-bundle.crt
is by default just an empty file. So even if it exists, you'll still get the error as it doesn't contain any certificates. You can generate them like this:
p11-kit extract --overwrite --format pem-bundle /usr/ssl/certs/ca-bundle.crt
https://github.com/msys2/MSYS2-packages/blob/master/ca-certificates/ca-certificates.install
For windows :-
Download the certificate from https://curl.se/docs/caextract.html
Rename cacert.pem to curl-ca-bundle.crt
Add the file to any of the below locations
Check this for details https://curl.se/docs/sslcerts.html