curl-users
Re: A error log when used the curl command tool in embedded linux device
Date: Tue, 13 Dec 2016 17:00:05 +0800
Hi Ray,
Thank you for your reply.
That was the latest cacert.pem I copied from the curl.haxx.se.
--------------------log-------------------------------------------------------------
/tmp # ./curl -V
curl 7.51.0 (arm-hisiv400-linux-gnueabi) libcurl/7.51.0 OpenSSL/1.1.0c
nghttp2/1.17.0
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp
smb smbs smtp smtps telnet tftp
Features: IPv6 Largefile NTLM NTLM_WB SSL TLS-SRP HTTP2 UnixSockets
/tmp # ./curl -v --cacert /etc/ssl/certs/cacert.pem https://curl.haxx.se/
* Trying 80.67.6.50...
* TCP_NODELAY set
* Connected to curl.haxx.se (80.67.6.50) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection:
ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/cacert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Curl_http_done: called premature == 1
* stopped the pause stream!
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
/tmp #
--------------------------------------------------------------------------------------------------------------------------------
And I used the openssl command, it shows:
-------------------------log
--------------------------------------------------------------------
/tmp # ./openssl s_client -connect curl.haxx.se:443 -CApath /etc/ssl/certs/
CONNECTED(00000003)
depth=0 CN = anja.haxx.se
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = anja.haxx.se
verify error:num=21:unable to verify the first certificate
verify return:1
--- Certificate chain 0 s:/CN=anja.haxx.se i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 i:/O=Digital Signature Trust Co./CN=DST Root CA X3 --- Server certificate -----BEGIN CERTIFICATE----- ---- ----------------------------------------------------------------------------------------------------- For the cacert.pem file. I just copy from the web, then paste it in a new txt file, then rename to cacert.pem. And I also checked the cacert.pem and delete all of the "^M" Is it right? Thanks
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-users
FAQ: https://curl.haxx.se/docs/faq.html
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-12-13