Re: Using curl behind a proxy: unable to get local issuer certificate
Date: Mon, 29 Jan 2018 10:53:08 +0100 (CET)
On Sat, 27 Jan 2018, $BEN=(Es(J via curl-users wrote:
> I want to visit https://pypi.io, in a linux server. I have set environment
> variable HTTP_PROXY and HTTPS_PROXY, when I issued this command:
> *% curl -LO
> I got this error: *unable to get local issuer certificate*
This error is usually what you get when the server doesn't send you the full
set of certificates. Usually there's a missing intermediate certificate.
Athough in this case, I can curl this site just fine so I would perhaps rather
suspect that your CA store is incomplete / out-of-date?
> When I was trying to solve the problem, I found that, the certificate my
> browser and the openssl showcerts command shows different while they were
> using the same proxy.
> In my browser, I got certificates like this:
> *FIRST: MY_COMPANY Root Ca*
> *SECOND: pypi.org <http://pypi.org>*
Having your company accepted in the browser's CA store is a sign that you're
using a MITM proxy and your traffic is intercepted and inspected. That is
intself not a reason for an error, but perhaps you don't have your company's
CA cert in your CA store for your curl command?
> I want to know why,
I don't know! It's not a common scenario...
-- / daniel.haxx.se