curl-users
Re: SSL Certificate Issues
Date: Mon, 10 Dec 2012 07:13:15 -0500
On Dec 10, 2012 2:25 AM, "Stephen R Guglielmo" <srg_at_guglielmo.us> wrote:
>
> Hey list. I'm trying to figure out this https stuff. It's been driving me
> nuts, and I really do not want to use --insecure.
>
> So I'm trying to do a HTTP request via ssl, and it keeps failing with a
> certificate error. I got the certificate via `openssl s_client .... | tee
> file` then converted it into pem via `openssl x509 ....`
>
> I then moved the pem into /usr/local/openssl/certs/ and ran c_rehash as
root.
> I ran `curl -I --capath /usr/local/openssl/certs url` and it is not
> working. It keeps saying the certificate is invalid.
>
> I checked ldd on all the programs involved to make sure they are using the
> same libssl.so library, which they are. I tried it as root, and tried
> messing with the permissions of the files in /usr/local/openssl/certs/ to
> no avail. And I did try using curl with --insecure, which was successful.
> But I really don't want to use --insecure forever.
>
> The OS is FreeBSD 9.0. The software versions are:
> OpenSSL 1.0.1c 10 May 2012
> curl 7.24.0 (amd64-portbld-freebsd9.0) libcurl/7.24.0 OpenSSL/1.0.1c
> zlib/1.2.5
> Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp
> smtp smtps telnet tftp
> Features: Largefile NTLM NTLM_WB SSL libz TLS-SRP
>
> Any tips? Thank you!
Try --insecure along with -v to get the reason for the certificate being
rejected. Most likely it will be that you don't have the whole certificate
chain. You need the cert from the CA that signed the server cert, and from
the CA that signed that, etc.
Ralph Mitchell
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2012-12-10