cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: Why is cURL experiencing "SSL certificate problem: unable to get local issuer certificate" when the CA is available?

From: Jeffrey Walton <noloader_at_gmail.com>
Date: Sun, 30 Aug 2015 19:06:12 -0400

> cURL has access to "DigiCert High Assurance EV Root CA":
>
> $ cat /usr/share/curl/ca-bundle.crt | grep "DigiCert High
> Assurance EV Root CA"
> DigiCert High Assurance EV Root CA
>
> Why is cURL experiencing "SSL certificate problem: unable to get local
> issuer certificate" when the CA is available?

When I extract "DigiCert High Assurance EV Root CA" by hand and use it
manually via -CAfile, it verifies correctly.

**********

$ openssl s_client -connect github.com:443 -tls1 -CAfile
~/DigiCert-High-Assurance-EV-Root-CA.pem
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
High Assurance EV Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
SHA2 Extended Validation Server CA
verify return:1
depth=0 businessCategory = Private Organization, jurisdictionC = US,
jurisdictionST = Delaware, serialNumber = 5157550, street = 548 4th
Street, postalCode = 94107, C = US, ST = California, L = San
Francisco, O = "GitHub, Inc.", CN = github.com
verify return:1

---
Certificate chain
 0 s:/businessCategory=Private
Organization/jurisdictionC=US/jurisdictionST=Delaware/serialNumber=5157550/street=548
4th Street/postalCode=94107/C=US/ST=California/L=San
Francisco/O=GitHub, Inc./CN=github.com
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2
Extended Validation Server CA
 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2
Extended Validation Server CA
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High
Assurance EV Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF4DCCBMigAwIBAgIQDACTENIG2+M3VTWAEY3chzANBgkqhkiG9w0BAQsFADB1
...
ff6IQDlhC8BIMKmCNK33cEYDfDWROtW7JNgBvBTwww8jO1gyug8SbGZ6bZ3k8OV8
XX4C2NesiZcLYbc2n7B9O+63M2k=
-----END CERTIFICATE-----
subject=/businessCategory=Private
Organization/jurisdictionC=US/jurisdictionST=Delaware/serialNumber=5157550/street=548
4th Street/postalCode=94107/C=US/ST=California/L=San
Francisco/O=GitHub, Inc./CN=github.com
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2
Extended Validation Server CA
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3239 bytes and written 343 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES128-SHA
    ...
    Start Time: 1440975808
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2015-08-31