On Thu, 20 Feb 2014, John Nisbet wrote:

> Curl was apparently installed/configured with no ca bundle. All
> communication to host was performed with '-k' parameter.
>
> Host now requires updated SSL certs.

I'm sorry but I have a hard time to parse this. The 'host' you speak of here
is clearly the server in your case.

The server requires updated SSL certs? In SSL/TLS, the server cannot enforce
that the client verifies its certificate so it cannot make -k not work.

Does it mean that the server requires a client certificate? That sounds more
likely, but it doesn't really go with your talk about a CA bundle etc further
down. The CA bundle is used to verify the server cert.

> What steps do we have to take to have curl recognize this CA bundle?

http://curl.haxx.se/docs/sslcerts.html has the long explanation. Primarily,
libcurl is built with a default path to find the CA bundle.

> - use environment variable CURL_CA_BUNDLE?

That works, yes.

> - use curl --cert . . . .?

No, --cacert is the option for CA certs while --cert is for client certs. You
must not confuse or mix up the various types of certificates you can use with
SSL - I know it is easily done.

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html