curl / Mailing Lists / curl-users / Single Mail

curl-users

Re: Using curl behind a proxy: unable to get local issuer certificate

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Mon, 29 Jan 2018 10:53:08 +0100 (CET)

On Sat, 27 Jan 2018, $BEN=(Es(J via curl-users wrote:

> I want to visit https://pypi.io, in a linux server. I have set environment
> variable HTTP_PROXY and HTTPS_PROXY, when I issued this command:
> *% curl -LO
> https://pypi.io/packages/source/v/virtualenv/virtualenv-15.0.2.tar.gz
> <https://pypi.io/packages/source/v/virtualenv/virtualenv-15.0.2.tar.gz>*
> I got this error: *unable to get local issuer certificate*

This error is usually what you get when the server doesn't send you the full
set of certificates. Usually there's a missing intermediate certificate.

Athough in this case, I can curl this site just fine so I would perhaps rather
suspect that your CA store is incomplete / out-of-date?

> When I was trying to solve the problem, I found that, the certificate my
> browser and the openssl showcerts command shows different while they were
> using the same proxy.
>
> In my browser, I got certificates like this:
>
> *FIRST: MY_COMPANY Root Ca*
> *SECOND: pypi.org <http://pypi.org>*

Having your company accepted in the browser's CA store is a sign that you're
using a MITM proxy and your traffic is intercepted and inspected. That is
intself not a reason for an error, but perhaps you don't have your company's
CA cert in your CA store for your curl command?

> I want to know why,

I don't know! It's not a common scenario...

-- 
  / daniel.haxx.se

-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2018-01-29