Re: Where did curl find that certificate?

On Sat, 6 Jun 2020, Tony Lewis via curl-users wrote:

First: note that curl-users is the mailing list for the curl tool. For libcurl
subjects, we have curl-library.

> I am using the curl library in PHP for a WordPress website. Validation of a
> certificate for a website that I regularly interact with stopped working.
> After a fair amount of debugging I finally discovered that the root
> certificate being used expired on May 30, 2020.

This sounds like the AddTrust issue?

> However, the CA replaced that certificate in March 2019 with a new
> expiration date of December 31, 2028. Neither the expired or replacement
> certificate appears in the CAfile reported in curl debugging output and the
> output shows the CApath as none. I tried adding the replacement certificate
> to CApath, but it still failed to validate. (Stopping and starting the
> server did not make any difference either.)

What TLS library and version are you using? If this is the AddTrust issue, you
probably see this because you use an older OpenSSL library that didn't handle
this correctly by default (and curl didn't enable but will in the future
thanks to https://github.com/curl/curl/pull/5530).

> How can I find out where curl got the expired certificate from?

curl shows its paths in the verbose output. There's no other paths involved.

> Is there something more I need to do besides adding the correct certificate
> to CApath to get curl to use the new certificate?

If we exclude problems with the TLS libraries, no there's nothing else.

-- 
  / daniel.haxx.se | Commercial curl support up to 24x7 is available!
                   | Private help, bug fixes, support, ports, new features
                   | https://www.wolfssl.com/contact/
-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette:   https://curl.haxx.se/mail/etiquette.html