Curl SSL Certificate: unable to get local issuer certificate

when using curl in verbose mode, I get this error: Command:

$ curl -vvI https://www.google.com

Error:

• successfully set certificate verify locations:
• CAfile: none CApath: /etc/ssl/certs
• TLSv1.3 (OUT), TLS handshake, Client hello (1):
• TLSv1.3 (IN), TLS handshake, Server hello (2):
• TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
• TLSv1.3 (IN), TLS handshake, Certificate (11):
• TLSv1.3 (OUT), TLS alert, unknown CA (560):
• SSL certificate problem: unable to get local issuer certificate
• Closing connection 0

But if I send the same command with sudo, the connection is setup successfully, so I guess it's a permission issue.

This is what I get with namei command:

$ namei -mo /etc/ssl/certs/ca-certificates.crt

f: /etc/ssl/certs/ca-certificates.crt
drwxr-xr-x root root /
drwxr-xr-x root root etc
drwxr-xr-x root root ssl
drw-r--r-- root root certs
                     ca-certificates.crt - Permission denied

So I issued this command:

$ sudo chmod 755 /etc/ssl/certs/ca-certificates.crt

That was executed without errors, but the output of namei command is the same.

Same thing with /etc/ssl/certs/certificate.crt

Finally, if I send this command:

$ sudo ls -l /etc/ssl/certs/ca-certificates.crt

I get:

-rwxr-xr-x 1 root root 218664 lug 19 18:51 /etc/ssl/certs/ca-certificates.crt

As you have seen, you can't access ca-certificates.crt. The curl command tries to access the certificate bundle with your user, but fails. You can fix this by using chmod. 755 may be used in this case, as certificate bundles are not sensitive files.