curl / Mailing Lists / curl-users / Single Mail

curl-users

Re: Intermediate Certificate

From: Marcionelli Michele <michele.marcionelli_at_math.ethz.ch>
Date: Thu, 6 Dec 2018 22:22:57 +0000

On 6 Dec 2018, at 23:03, Marcionelli Michele <michele.marcionelli_at_math.ethz.ch<mailto:michele.marcionelli_at_math.ethz.ch>> wrote:

On 6 Dec 2018, at 22:27, Ralph Mitchell <ralphmitchell_at_gmail.com<mailto:ralphmitchell_at_gmail.com>> wrote:

On Thu, Dec 6, 2018 at 4:22 PM Marcionelli Michele <michele.marcionelli_at_math.ethz.ch<mailto:michele.marcionelli_at_math.ethz.ch>> wrote:
Hej,

I wrote a kind of link-checker in bash using curl and sometimes the check fails - I think - because an incomplete certificate chain. But with a browser the certificate looks good.

For instance this fails on a Fedora 29 (and also on CentOS 6, 7, Fedora 28 & CentOS 6 with self compiled curl 7.62.0):

# curl -v https://www.math.ias.edu<https://www.math.ias.edu/>

* Rebuilt URL to: https://www.math.ias.edu/
* Trying 192.16.204.152...
* TCP_NODELAY set
* Connected to www.math.ias.edu<http://www.math.ias.edu/> (192.16.204.152) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate

# curl --version

curl 7.61.1 (x86_64-redhat-linux-gnu) libcurl/7.61.1 OpenSSL/1.1.1 zlib/1.2.11 brotli/1.0.5 libidn2/2.0.5 libpsl/0.20.2 (+libidn2/2.0.5) libssh/0.8.5/openssl/zlib nghttp2/1.34.0
Release-Date: 2018-09-05
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz brotli TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL Metalink

The same command works on my Mac with OS X 10.13.6:

# curl -v https://www.math.ias.edu<https://www.math.ias.edu/>

* Rebuilt URL to: https://www.math.ias.edu/
* Trying 192.16.204.152...
* TCP_NODELAY set
* Connected to www.math.ias.edu<http://www.math.ias.edu/> (192.16.204.152) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=US; postalCode=08540; ST=New Jersey; L=Princeton; street=1 Einstein Drive; O=Institute for Advanced Study; OU=School of Mathematics; CN=*.math.ias.edu<http://math.ias.edu/>
* start date: Mar 15 00:00:00 2018 GMT
* expire date: Mar 15 23:59:59 2019 GMT
* subjectAltName: host "www.math.ias.edu<http://www.math.ias.edu/>" matched cert's "*.math.ias.edu<http://math.ias.edu/>"
* issuer: C=US; ST=MI; L=Ann Arbor; O=Internet2; OU=InCommon; CN=InCommon RSA Server CA
* SSL certificate verify ok.

# curl --version

curl 7.54.0 (x86_64-apple-darwin17.0) libcurl/7.54.0 LibreSSL/2.0.20 zlib/1.2.11 nghttp2/1.24.0
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz HTTP2 UnixSockets HTTPS-proxy

Has someone any Idea why in the first case it fails?
Why in the second case it works?
And most important for me what can I do the run a successfully check on CentOS/Fedora?

Bests,
Michele

PS: I also copied my Mac /etc/ssl/cert.pem to Linux, without positive effect...

In Fedora 29, you're not using the /etc/ssl/cert.pem:

      * successfully set certificate verify locations:
      * CAfile: /etc/pki/tls/certs/ca-bundle.crt

Try it as:

     curl -v --capath /etc/ssl/cert.pem https://www.math.ias.edu<https://www.math.ias.edu/>

Ralph Mitchell

Sorry, in my "PS" when I said, that I hadn't success, I already tried the option "--capath ~/cert.pem". Here the result

* Rebuilt URL to: https://www.math.ias.edu/
* Trying 192.16.204.152...
* TCP_NODELAY set
* Connected to www.math.ias.edu<http://www.math.ias.edu/> (192.16.204.152) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: /home/****/cert.pem
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate

Sorry... actually I tried with "--cacert ~/cert.pem":

* Trying 192.16.204.152...
* TCP_NODELAY set
* Connected to www.math.ias.edu<http://www.math.ias.edu> (192.16.204.152) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /home/****/cert.pem
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate

-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2018-12-06