On 1/29/2018 4:53 AM, Daniel Stenberg wrote:
> On Sat, 27 Jan 2018, 杜秀涛 via curl-users wrote:
>
>> I want to visit https://pypi.io, in a linux server. I have set
>> environment
>> variable HTTP_PROXY and HTTPS_PROXY, when I issued this command:
>> *% curl -LO
>> https://pypi.io/packages/source/v/virtualenv/virtualenv-15.0.2.tar.gz
>> <https://pypi.io/packages/source/v/virtualenv/virtualenv-15.0.2.tar.gz>*
>> I got this error: *unable to get local issuer certificate*
>
> This error is usually what you get when the server doesn't send you
> the full set of certificates. Usually there's a missing intermediate
> certificate.
>
> Athough in this case, I can curl this site just fine so I would
> perhaps rather suspect that your CA store is incomplete / out-of-date?
>
>> When I was trying to solve the problem, I found that, the certificate
>> my browser and the openssl showcerts command shows different while
>> they were using the same proxy.
>>
>> In my browser, I got certificates like this:
>>
>> *FIRST: MY_COMPANY Root Ca*
>> *SECOND: pypi.org <http://pypi.org>*
>
> Having your company accepted in the browser's CA store is a sign that
> you're using a MITM proxy and your traffic is intercepted and
> inspected. That is intself not a reason for an error, but perhaps you
> don't have your company's CA cert in your CA store for your curl command?
>
>> I want to know why,
>
> I don't know! It's not a common scenario...

I agree. Run curl with -v and check the server certificate and issuer.
Also check the CA certificate locations which are shown in this format:

* successfully set certificate verify locations:
*   CAfile: /foo/bar
  CApath: none

-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2018-01-30