Being able to get Homebrew to work with a device that performs SSL decryption can be a challenge.

Example errors could look something like this:

$ brew update
fatal: unable to access 'https://github.com/Homebrew/brew/': SSL certificate problem: self signed certificate in certificate chain
Error: Fetching /opt/homebrew failed!
Failed to download https://formulae.brew.sh/api/formula.jws.json!
Failed to download https://formulae.brew.sh/api/cask.jws.json!
Failed to download https://formulae.brew.sh/api/formula_tap_migrations.jws.json!
Failed to download https://formulae.brew.sh/api/cask_tap_migrations.jws.json!

After doing some research, it seems that Homebrew is (under the hood) using curl to be able to get to the Internet. Here are some reference articles:

• https://github.com/orgs/Homebrew/discussions/4262
• https://serverfault.com/questions/643758/curl-with-custom-certificate/643765#643765
• https://gist.github.com/v1m/f1d4751883f19c916515

First step is to set the environment variable to tell curl where to find a custom configuration file:

export HOMEBREW_CURLRC=$HOME/.curlrc

Then in the .curlrc file, put the following flags:

--verbose

The advantage of the --verbose argument is that it shows where curl is is loading the certificates from. On my Macbook, running the brew update command yields an important line:

CAfile: /etc/ssl/cert.pem

Now we can append our enterprise Root Certificate Authority files to this /etc/ssl/cert.pem file. We are going to be adding the certificate contents that look like this (it’s important to note that the file is in PEM format (base64):

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

Now that we have the certificates added, we can run the brew command without any issues.