cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: Configure option --with-ca-path does not work

From: Andriy Yurchuk <ayurchuk_at_minuteware.net>
Date: Wed, 28 Aug 2013 15:46:39 +0300

This is the result of configure script run: https://gist.github.com/Ch00k/6365585

oi_at_openindiana:~$ ~/curl7320/bin/curl --version
curl 7.32.0 (i386-pc-solaris2.11) libcurl/7.32.0 OpenSSL/0.9.8y zlib/1.2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smtp smtps telnet tftp
Features: IPv6 Largefile NTLM NTLM_WB SSL libz

oi@openindiana:~$ ~/curl7320/bin/curl --capath /etc/certs/CA/ https://google.com
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
oi_at_openindiana:~$

Passing --capath does not help. I suspect this might be the OS specific issue. I'll try to build on Linux too see if it reproduces there.

--
Regards,
Andriy Yurchuk
On Aug 28, 2013, at 3:31 PM, Kamil Dudka <kdudka_at_redhat.com> wrote:
> On Wednesday 28 August 2013 13:06:02 Andriy Yurchuk wrote:
>> Hi!
>> 
>> I am trying to build curl on OpenIndiana. The configure string I pass is
>> the following: CC=/usr/gcc/4.3/bin/gcc ./configure
>> --with-ca-path=/etc/certs/CA --prefix=/home/oi/curl7320 Installation
>> finishes successfully but then if try to fetch an SSL-enabled website I
>> get the following:
>> 
>> oi@openindiana:~$ ~/curl7320/bin/curl -L https://google.com
>> curl: (60) SSL certificate problem: unable to get local issuer certificate
>> More details here: http://curl.haxx.se/docs/sslcerts.html
>> 
>> curl performs SSL certificate verification by default, using a "bundle"
>> of Certificate Authority (CA) public keys (CA certs). If the default
>> bundle file isn't adequate, you can specify an alternate file
>> using the --cacert option.
>> If this HTTPS server uses a certificate signed by a CA represented in
>> the bundle, the certificate verification probably failed due to a
>> problem with the certificate (it might be expired, or the name might
>> not match the domain name in the URL).
>> If you'd like to turn off curl's verification of the certificate, use
>> the -k (or --insecure) option.
>> 
>> I investigated the issue further and did the following:
>> 
>> oi_at_openindiana:~$ cat /etc/certs/CA/*.pem > bundle.pem
>> oi@openindiana:~$ ~/curl7320/bin/curl --cacert oi.pem -L https://google.com
>> 
>> And this time it worked.
>> So did I misunderstand the --with-ca-path option? I thought it should be
>> the directory where all the CA certificates reside and curl can use it I
>> don't have a CA bundle. But in my case curl refuses to get the CA
>> certificates from that directory, though it works fine if I create a
>> bundle of those same CA certificates.
> 
> Does it work if you pass the _directory_ to the --capath option of curl?
> What does curl --version say?
> 
> Kamil
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2013-08-28