Skip to content

Instantly share code, notes, and snippets.

@zacjones93

zacjones93/cloudflare-warp-certificate-fix.md

Last active January 21, 2026 21:43
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save zacjones93/d5e02b609f35bd451c7157025a2033a7 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save zacjones93/d5e02b609f35bd451c7157025a2033a7 to your computer and use it in GitHub Desktop.
Download ZIP
Fixing SSL Certificate Issues with Cloudflare WARP on WSL
Raw
cloudflare-warp-certificate-fix.md

Fixing SSL Certificate Issues with Cloudflare WARP on WSL

Problem

When using Cloudflare WARP on WSL, you may encounter SSL certificate errors when downloading files from Microsoft domains:

curl: (60) SSL certificate problem: unable to get local issuer certificate

This typically occurs when trying to download from download.microsoft.com or similar Microsoft CDN domains.

Root Cause

The issue has two parts:

  1. Cloudflare WARP certificate not installed: WARP intercepts HTTPS traffic and re-signs certificates, requiring the Cloudflare Gateway CA to be trusted by the system.

  2. Missing intermediate certificate: Microsoft's download servers don't always send the complete certificate chain in the SSL handshake. Specifically, the intermediate certificate Microsoft TLS G2 ECC CA OCSP 02 is often missing, preventing curl from building a complete chain to a trusted root CA.

Solution

Step 1: Install Cloudflare WARP Certificate (if not already done)

# Copy the cert from Windows (replace <cert-name> with your actual certificate GUID)
sudo cp /mnt/c/ProgramData/Cloudflare/<cert-name>.pem /usr/local/share/ca-certificates/cloudflare.crt

# Update system certificates
sudo update-ca-certificates

# Verify installation
ls /etc/ssl/certs/ | grep cloudflare

Step 2: Install Missing Microsoft Intermediate Certificate (THE FIX)

This is the actual fix for the Microsoft download issue. The Microsoft CDN servers don't send the complete certificate chain, so we need to install the missing intermediate certificate manually.

# Download the Microsoft intermediate certificate
curl --insecure -o /tmp/microsoft-tls-g2-ecc-ca-ocsp-02.crt \
  "http://www.microsoft.com/pkiops/certs/Microsoft%20TLS%20G2%20ECC%20CA%20OCSP%2002.crt"

# Convert from DER to PEM format
openssl x509 -inform DER \
  -in /tmp/microsoft-tls-g2-ecc-ca-ocsp-02.crt \
  -out /tmp/microsoft-tls-g2-ecc-ca-ocsp-02.pem \
  -outform PEM

# Install the certificate
sudo cp /tmp/microsoft-tls-g2-ecc-ca-ocsp-02.pem \
  /usr/local/share/ca-certificates/microsoft-tls-g2-ecc-ca-ocsp-02.crt

# Update the CA certificate bundle
sudo update-ca-certificates

Step 3: Verify the Fix

Test that downloads from Microsoft now work:

# Test basic connectivity
curl https://httpbin.org/get

# Test Microsoft download
curl -I https://download.microsoft.com

# Try the actual download
curl -L -o /tmp/test-download.zip https://go.microsoft.com/fwlink/?linkid=2257477

Verification Steps

Check Cloudflare Certificate Installation

grep "Cloudflare" /etc/ssl/certs/ca-certificates.crt

Should return lines containing "Cloudflare".

Check Microsoft Certificates

ls /etc/ssl/certs/ | grep -i microsoft

Should show Microsoft certificate symlinks.

Debug SSL Connection

curl -v https://download.microsoft.com 2>&1 | grep -E "(certificate|SSL)"

Should show "SSL certificate verify ok" instead of certificate errors.

Optional: Configure .NET Applications

Note: This step is only needed if you're having SSL issues with .NET applications (like dotnet restore). It does NOT affect curl or other system tools.

Add these environment variables to your ~/.bashrc:

# .NET SSL Certificate Configuration for Cloudflare WARP
export DOTNET_SYSTEM_NET_HTTP_USESOCKETSHTTPHANDLER=0
export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt

Then reload your shell:

source ~/.bashrc

Troubleshooting

If curl still fails after installing certificates

Try refreshing the CA certificate bundle:

sudo update-ca-certificates --fresh

If Node.js applications fail

Add this to your ~/.bashrc:

export NODE_EXTRA_CA_CERTS=/usr/local/share/ca-certificates/cloudflare.crt

Check certificate chain

Debug what certificate chain the server is sending:

echo | openssl s_client -connect download.microsoft.com:443 -showcerts 2>/dev/null | \
  grep -E "(subject|issuer)="

Why This Happens

  1. Cloudflare WARP intercepts traffic: When WARP is enabled, it acts as a man-in-the-middle proxy, re-signing all HTTPS certificates with its own CA.

  2. System tools need to trust Cloudflare's CA: Without the Cloudflare Gateway CA installed, tools like curl will reject the re-signed certificates.

  3. Microsoft's incomplete certificate chain: Some Microsoft CDN servers (like download.microsoft.com) don't send intermediate certificates in the TLS handshake, relying on clients to have them cached or downloaded separately. When combined with WARP interception, this creates a double certificate validation issue.

Additional Notes

  • These changes persist across WSL sessions
  • You may need to repeat Step 3 if Microsoft updates their intermediate certificates
  • The --insecure flag in Step 3 is safe because we're downloading from a known Microsoft URL
  • Other corporate proxies (like Zscaler) may require similar certificate installations
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment