We ran into the same exact problem.
Explanation of the Problem
Basically, for some reason Hombrew created the file
/usr/local/etc/openssl/cert.pem, but did NOT put anything into the file.
Normally, that file should contain all of the certificates for known Certificate Authorities (CAs) - those are the companies or institutions around the world who are allowed to "sign" the SSL certificates for your website and anyone else's website whom you try to access -- companies like GeoTrust, Thawte, and in some countries like the PRC it is actually the government themselves who digitally countersign individual website's SSL certificates.
This is why the file is called "CAfile:"
If the file is empty, then CURL thinks that it CANNOT TRUST ANY WEBSITE ANYWHERE because it has no 'trusted' certificates to start out with.
In the CAfile
cert.pem CURL is expecting to find many certificates all copy/pasted together into one single text file.
However, it is also possible for you to have a FOLDER full of individual text files, one for each Certificate Authority that you trust to sign other website's certificates (i.e. they are acting like a "notary").
In the folder-based setup, CURL would need to know what folder to go to in order to read all of those individual text files -- that folder path is what CURL is calling the "CApath:".
Resolution to the problem
CURL needs to be able to see some certificates for the CA's (aka "notaries") whom it should trust.
You can put them all into one single text file (
cert.pem) or multiple files in a single folder (the CApath).
In our setup there was not a "none" in the CApath. Homebrew and CURL were expecting the folder to be at the path
You can put the certificates in EITHER location (the single text file, or the multiple files in a folder), and CURL should work.
Where to get the valid Certificates?
You can get them directly from the
Here is a simple command to download the file and save it directly into the location that Homebrew's CURL is expecting the file to be:
$ /usr/bin/curl https://curl.haxx.se/ca/cacert.pem /usr/local/etc/openssl/cert.pem
In our case, the curl that Apple shipped with Snow Leopard was still at
/usr/bin/curl, so we used that version of curl to do the download.
If you try to download the file using
curl instead of
/usr/bin/curl, you might have a problem where the Homebrew-installed curl gets called to download the certificates file from the webserver, but the Homebrew-installed curl is the one that is having problems and will not "trust" the security of the download, so it will error out (with the exact same error you were already having) before it will ever download and save the file for you.
So, to avoid that problem you need to use the Apple-included curl at
/usr/bin/curl (that is assuming that you have not already removed Apple's curl or symbolically linked it to another version).
If all else fails, you can simply download the certificate file by typing this link into your web browser:
and then saving the text file to your hard drive using your web browser.
After the text file is saved on the drive, you can open a terminal window and type:
$ mv the_full_path_and_name_of_the_file_you_just_downloaded /usr/local/etc/openssl/cert.pem
That will move the file you just downloaded, and will rename it as "cert.pem" and place it into the correct location where the Homebrew-installed curl is expecting the file to be located.
Then, you should be able to type something like:
$ curl https://www.example.com
And curl should correctly download the secure page and display it as html text in your terminal.
The real purpose of the test was to make sure that the certificates worked. You will know that they worked because otherwise curl will throw an error exactly as you had before when you try to download any HTTPS link.