cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: SSL certificate verify failed

From: jayjwa <jayjwa_at_atr2.ath.cx>
Date: Thu, 12 Jul 2007 13:14:47 -0400

On Wed, 11 Jul 2007, Sanford Walke IV wrote:

-> I've got a script that uses curl to send a file to an SSL-enabled website.
-> It's been working for months, until they recently renewed their certificate.

It would help to know the site, but I can still give the commands you can use.

-> Now I get "error:14090086:SSL
-> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed" when I try
-> to connect.

So they updated to a newer cert than you have, correct?

-> I've read through http://curl.netmirror.org/docs/sslcerts.html and
-> http://curl.haxx.se/docs/caextract.html. I'm using the newest cacert.pem
-> from the caextract page. I've inspected their certificate in Firefox, and it's
-> signed by Verisign.

Maybe it's newer than has been distributed? Sometimes, you can ask the server
itself. When I connect to my SSL'ed website, the last certifcate in the chain
is the root CA. Prehaps it's the same with your target site? If so, you can
use Openssl's s_client to get it, then copy paste it, and append it to curl's
collection. The example shows my site, put your target host and its port in
for the -connect option:

OpenSSL> s_client -connect atr2.ath.cx:443 -pause -showcerts -debug
CONNECTED(00000003)
write to 0x80c1768 [0x80c21d8] (124 bytes => 124 (0x7C))
0000 - 80 7a 01 03 01 00 51 00-00 00 20 00 00 39 00 00 .z....Q... ..9..

(snip lots of hex)

read from 0x80c1768 [0x80c7738] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 30 ....0
read from 0x80c1768 [0x80c773d] (48 bytes => 48 (0x30))
0000 - ce 8d d7 34 37 4d ea d6-e2 8a 44 6a 2c 20 5c 4a ...47M....Dj, \J
0010 - 90 67 2f de 9f 54 6f f0-45 97 0e 70 af c2 c2 bc .g/..To.E..p....
0020 - 80 22 78 53 e2 c3 42 df-c7 72 4a fa 1c c5 bc de ."xS..B..rJ.....

---
Certificate chain
  0 s:/C=US/ST=New York/O=Atr2 Research Group/OU=SSL-Enabled
Webserver/CN=atr2.ath.cx/emailAddress=hostmaster_at_atr2.ath.cx
    i:/C=US/ST=New York/O=Atr2 Research Group/OU=Root Certificate
Authority/CN=atr2.ath.cx/emailAddress=ca_at_atr2.ath.cx
-----BEGIN CERTIFICATE-----
MIIFmDCCBICgAwIBAgIBFzANBgkqhkiG9w0BAQUFADCBmDELMAkGA1UEBhMCVVMx
ETAPBgNVBAgTCE5ldyBZb3JrMRwwGgYDVQQKExNBdHIyIFJlc2VhcmNoIEdyb3Vw
MSMwIQYDVQQLExpSb290IENlcnRpZmljYXRlIEF1dGhvcml0eTEUMBIGA1UEAxML
YXRyMi5hdGguY3gxHTAbBgkqhkiG9w0BCQEWDmNhQGF0cjIuYXRoLmN4MB4XDTA3
MDUyOTEzNTMyMVoXDTE3MDUyNjEzNTMyMVowgZsxCzAJBgNVBAYTAlVTMREwDwYD
VQQIEwhOZXcgWW9yazEcMBoGA1UEChMTQXRyMiBSZXNlYXJjaCBHcm91cDEeMBwG
A1UECxMVU1NMLUVuYWJsZWQgV2Vic2VydmVyMRQwEgYDVQQDEwthdHIyLmF0aC5j
eDElMCMGCSqGSIb3DQEJARYWaG9zdG1hc3RlckBhdHIyLmF0aC5jeDCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBANWYB4Q9prvpYGqoYOVzNJd4UXpL/fU0
21L6E/hvY9przRsZ+EwjepNYztLSiI1dg6551cZR5NgWGg48isnunao9U7A5Q7sI
p+FYVFEx2k/x+2anzb+3WGS4285YzKerSYvJQtMIyL3baXA14qvj0BBhmzfKb0u/
Vgq/96lgyK6J/Y0SRWoLPvTuOjhduioHCy/dGdWDVbVrzeM2grwEwv8ANGv1eqko
RBvzChujqsF4oWEMSmloqnBJs5/ygwL9hTxlTD0esgkCgIUaynikfrX4izze2NM+
Fd0fSCHXuFLZ/WnufSrbDwX1RVXTYMTwwyw0dcSKtfDsqFPGb2id4NUCAwEAAaOC
AeYwggHiMAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJh
dGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBQFk54Gs80qNb/fPVNNKBcz0TorKjCB
xQYDVR0jBIG9MIG6gBSvT3vqpbHB9XYDiSi9TJAaySOf6qGBnqSBmzCBmDELMAkG
A1UEBhMCVVMxETAPBgNVBAgTCE5ldyBZb3JrMRwwGgYDVQQKExNBdHIyIFJlc2Vh
cmNoIEdyb3VwMSMwIQYDVQQLExpSb290IENlcnRpZmljYXRlIEF1dGhvcml0eTEU
MBIGA1UEAxMLYXRyMi5hdGguY3gxHTAbBgkqhkiG9w0BCQEWDmNhQGF0cjIuYXRo
LmN4ggEAMDYGCWCGSAGG+EIBBAQpFidodHRwczovL2F0cjIuYXRoLmN4L3NzbC9h
dHIyLWNhLWNybC5wZW0wJwYJYIZIAYb4QgECBBoWGGh0dHBzOi8vYXRyMi5hdGgu
Y3gvc3NsLzA2BglghkgBhvhCAQMEKRYnaHR0cHM6Ly9hdHIyLmF0aC5jeC9zc2wv
YXRyMi1jYS1jcmwucGVtMCcGCWCGSAGG+EIBBwQaFhhodHRwczovL2F0cjIuYXRo
LmN4L3NzbC8wDQYJKoZIhvcNAQEFBQADggEBADDl5u34fDau7nfv7oFmTrtTGUu7
l+reV51Hf7LZt9fH+fwKOwXi0H4qYJmgeNmconO8gVPn47C0fkq82EsE652bNPfi
y8k0jiG58ShrT4UWBTJBKLQaYzDZbvO6sgbNeB9nzjIlSS3jfknjPAJYRD40e3+Y
K0btpu7TMIIVXyVz5EIHgHndV3AdnK9iRW8gP0nA39MqxjvIHeQ17bcWlPp1BCvM
p9wN/fEfJ9oFDQOzwcyJ5sbiMDxU6L5Tahpc/v4vQJus5OZ7rbXq3QK4NfxsBIsh
23Q1Zzra3GFSsCQ8mYZti3+xS2L5ZyvmZ1ha+iSPl2qUnmIipc2d7/Llaac=
-----END CERTIFICATE-----
  1 s:/C=US/ST=New York/O=Atr2 Research Group/OU=Root Certificate
Authority/CN=atr2.ath.cx/emailAddress=ca_at_atr2.ath.cx
    i:/C=US/ST=New York/O=Atr2 Research Group/OU=Root Certificate
Authority/CN=atr2.ath.cx/emailAddress=ca_at_atr2.ath.cx
-----BEGIN CERTIFICATE-----
MIIEyDCCA7CgAwIBAgIBADANBgkqhkiG9w0BAQUFADCBmDELMAkGA1UEBhMCVVMx
ETAPBgNVBAgTCE5ldyBZb3JrMRwwGgYDVQQKExNBdHIyIFJlc2VhcmNoIEdyb3Vw
MSMwIQYDVQQLExpSb290IENlcnRpZmljYXRlIEF1dGhvcml0eTEUMBIGA1UEAxML
YXRyMi5hdGguY3gxHTAbBgkqhkiG9w0BCQEWDmNhQGF0cjIuYXRoLmN4MB4XDTA3
MDUyOTExMzg1M1oXDTEyMDUyNzExMzg1M1owgZgxCzAJBgNVBAYTAlVTMREwDwYD
VQQIEwhOZXcgWW9yazEcMBoGA1UEChMTQXRyMiBSZXNlYXJjaCBHcm91cDEjMCEG
A1UECxMaUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxFDASBgNVBAMTC2F0cjIu
YXRoLmN4MR0wGwYJKoZIhvcNAQkBFg5jYUBhdHIyLmF0aC5jeDCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAKwYSgkNZEXZCicrVS6RQP9p4SJHv5sfIo1z
Mx+yXKKAP/XMI6qoFh8/evIES7khgMkMlVOjavyjD8nvClli8Ayy9I1Q898JejrY
9aFPf878qCNAI8vYcMlIzrRvjEDie+q+KspXgbfRQVigbw+2Cmxk2IhjwC0jrzNV
WaJD9yaOX5L8e8YogQZWBE0qbf8jPiDCEtZ8afR0AcQqSNYbZtgE/8VK0plKi70X
QO9sUlg3eK9pC+T5l+R5Jh9wgziorBr6xtXCec7lOlR9Bmpg06nuQ7FevTgVdFWr
pOP7sNAuAW/DZeAxfBwdafcFZXpP49tS3frjbYJXeJw3yfoWVc8CAwEAAaOCARkw
ggEVMB0GA1UdDgQWBBSvT3vqpbHB9XYDiSi9TJAaySOf6jCBxQYDVR0jBIG9MIG6
gBSvT3vqpbHB9XYDiSi9TJAaySOf6qGBnqSBmzCBmDELMAkGA1UEBhMCVVMxETAP
BgNVBAgTCE5ldyBZb3JrMRwwGgYDVQQKExNBdHIyIFJlc2VhcmNoIEdyb3VwMSMw
IQYDVQQLExpSb290IENlcnRpZmljYXRlIEF1dGhvcml0eTEUMBIGA1UEAxMLYXRy
Mi5hdGguY3gxHTAbBgkqhkiG9w0BCQEWDmNhQGF0cjIuYXRoLmN4ggEAMAwGA1Ud
EwQFMAMBAf8wCwYDVR0PBAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIBBjANBgkqhkiG
9w0BAQUFAAOCAQEAQF2BiQoktQJBo0riJQNleaz8eeFB7J7bQgKdN5Ae6A78hYiV
fmVCo4eXyXxm73CwjBpw+0ut7YyxpYK9WDLS/D4Nlsf0MOSkU59NDKofTkV6p45K
h52fTPR4hF6j1pLK8/sLCyTSEvyNFFLDOpp+TqdQ2/NZxOn0QgqO4DiODx+UGjVc
uOkVTuPbMhQpCjqJ91g72R0qXwE93QEpda4t3bI6OcR1AJIpVhp62sM/ZJ8oeMh8
Afvhdo3BxlP+4CihYy5v+3thUWcEjUop+309gKwmcvfmIE/K02DbVy3ijJO6EwlB
aiu30fnqGd3IMybLXB4Vt7DyqIJoZpo+GW5u3w==
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=New York/O=Atr2 Research Group/OU=SSL-Enabled
Webserver/CN=atr2.ath.cx/emailAddress=hostmaster_at_atr2.ath.cx
issuer=/C=US/ST=New York/O=Atr2 Research Group/OU=Root Certificate
Authority/CN=atr2.ath.cx/emailAddress=ca_at_atr2.ath.cx
---
Acceptable client certificate CA names
/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root
/C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
/O=VeriSign, Inc/OU=www.verisign.com/repository/TestCPS Incorp. By Ref.
/Liab. LTD./OU=For VeriSign authorized testing only. No assurances (C)VS1997
/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
/CN=maze.bitnux.com/OU=Bitnux/emailAddress=je-ssl_at_bitnux.com
/C=DE/O=oliwel/CN=Oliver Welter/serialNumber=31
/C=DE/O=Regulierungsbeh\xC8orde f\xC8ur Telekommunikation und
/Post/0.2.262.1.10.7.20=1/CN=5R-CA 1:PN
/C=DE/O=Regulierungsbeh\xC8orde f\xC8ur Telekommunikation und
/Post/0.2.262.1.10.7.20=1/CN=6R-Ca 1:PN
/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust
/Global Root
/C=US/O=Wells Fargo/OU=Wells Fargo Certification Authority/CN=Wells Fargo
/Root Certificate Authority
/C=AT/ST=Austria/L=Vienna/O=Arge Daten Oesterreichische Gesellschaft fuer
/Datenschutz/emailAddress=a-cert_at_argedaten.at
/C=GB/O=Comodo Limited/OU=Comodo Trust Network/OU=Terms and Conditions of
/use: http://www.comodo.net/repository/OU=(c)2002 Comodo Limited/CN=Comodo
/Class 3 Security Services CA
/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST
/Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
/C=US/ST=California/L=San Jose/O=Samba/CN=Samba Root
/CA/emailAddress=ca_at_samba.org
/C=US/ST=New York/O=Atr2 Research Group/OU=Root Certificate
/Authority/CN=atr2.ath.cx/emailAddress=ca_at_atr2.ath.cx
/C=US/ST=Colorado/L=Boulder/O=Rhyolite Software/CN=Rhyolite Software
/Certificate Authority/emailAddress=vjs_at_rhyolite.com
/C=US/ST=California/L=Berkeley/O=Sendmail Consortium/CN=Certificate
/Authority/emailAddress=certificates_at_sendmail.org
/C=AT/ST=Austria/L=Vienna/O=ARGE DATEN - Austrian Society for Data
/Protection/OU=A-CERT Certification Service/CN=A-CERT
/ADVANCED/emailAddress=info_at_a-cert.at
/C=CA/ST=ON/L=Toronto/O=BankEngine Inc./OU=Certification Authority
/Division/CN=bankengine/emailAddress=ca_at_bankengine.com
/C=CA/ST=ON/L=Toronto/O=CertEngine Inc./OU=Certification Authority
/Division/CN=certengine/emailAddress=ca_at_certengine.com
/C=CA/ST=ON/L=Toronto/O=FortEngine Inc./OU=Certification Authority
/Division/CN=fortengine/emailAddress=ca_at_fortengine.com
/C=CA/ST=ON/L=Toronto/O=MailEngine Inc./OU=Certification Authority
/Division/CN=mailengine/emailAddress=ca_at_mailengine.com
/C=NL/ST=Noordholland/L=Amsterdam/O=Barlaeus Gymnasium/OU=IT
/Beheer/CN=mail.barlaeus.nl/emailAddress=beheer_at_barlaeus.nl
/C=US/ST=Illinois/L=De Kalb/O=Northern Illinois University/OU=Computer
/Science/CN=Neil Rickert/emailAddress=rickert_at_cs.niu.edu
/C=CA/ST=ON/L=Toronto/O=TraderEngine Inc./OU=Certification Authority
/Division/CN=traderengine/emailAddress=ca_at_traderengine.com
/C=US/ST=Texas/L=San Antonio/O=The Metasploit
/Project/OU=Development/CN=Metasploit CA/emailAddress=cacert_at_metasploit.com
/C=CA/ST=Ontario/L=Waterloo/O=University of Waterloo/OU=Information Systems
/and Technology/CN=UW/IST Certificate
/Authority/emailAddress=ist-ca_at_ist.uwaterloo.ca
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification
/Services Division/CN=Thawte Server CA/emailAddress=server-certs_at_thawte.com
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification
/Services Division/CN=Thawte Premium Server
/CA/emailAddress=premium-server_at_thawte.com
---
SSL handshake has read 7945 bytes and written 334 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
     Protocol  : TLSv1
     Cipher    : DHE-RSA-AES256-SHA
     Session-ID:
     009425175CDAD0B0D6421898CB2DB53A1B4C676A06BA304E3CD11D251C6B506F
     Session-ID-ctx:
     Master-Key:
     3320C6B83C75F946D7D40F24245F962788A97EDC43453A0C0A4A0EA6598DF3A1B58646876068D2E5EA8A15D9B1A7EB4B
     Key-Arg   : None
     Start Time: 1184258326
     Timeout   : 300 (sec)
     Verify return code: 19 (self signed certificate in certificate chain)
---
The last PEM block (--BEGIN thru --END ...) should be the CA file (it is in my 
set up). Copy & paste it into a file:
 	nano new-ca-certificate.pem
Look at it and see that it really is the one you're expecting. If a MiM attack 
was underway, then curl's complaining initially would be correct: the 
certifcate had been replaced. Make sure what you're looking at is not a 
fake/the attacker's certificate.
 	openssl x509 -in new-ca-certificate.pem -noout -text
If it's OK, add it to the curl bundle:
 	cat new-ca-certificate.pem >> /usr/share/curl/ca-bundle.pem 
(or where ever you keep your curl CA bundle.)

Received on 2007-07-12

This message: [ Message body ]
Next message: Dhiren Patra: "Help needed to navigate through a webapplication"
Previous message: Dan Fandrich: "Re: curl and http proxy."
In reply to: Sanford Walke IV: "SSL certificate verify failed"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]