RE: Where did curl find that certificate?
Date: Sat, 6 Jun 2020 18:53:49 -0700
> First: note that curl-users is the mailing list for the curl tool.
Sorry about that.
> This sounds like the AddTrust issue?
Yes. Now that I know what I'm looking for, that is precisely the issue I
encountered.
> What TLS library and version are you using?
OpenSSL 1.0.2o 27 Mar 2018
> > Is there something more I need to do besides adding the correct
certificate
> > to CApath to get curl to use the new certificate?
>
> If we exclude problems with the TLS libraries, no there's nothing else.
I'm still unsure why adding the correct certificate to CURLOPT_CAINFO does
not resolve the problem.
While I've been working on this, the ISP appears to have done something to
resolve the problem on the production system. I guess I can just turn off
peer verification on my development system.
Tony
-----Original Message-----
From: Daniel Stenberg [mailto:daniel_at_haxx.se]
Sent: Saturday, June 06, 2020 9:01 AM
To: Tony Lewis via curl-users
Cc: Tony Lewis
Subject: Re: Where did curl find that certificate?
On Sat, 6 Jun 2020, Tony Lewis via curl-users wrote:
First: note that curl-users is the mailing list for the curl tool. For
libcurl
subjects, we have curl-library.
> I am using the curl library in PHP for a WordPress website. Validation of
a
> certificate for a website that I regularly interact with stopped working.
> After a fair amount of debugging I finally discovered that the root
> certificate being used expired on May 30, 2020.
This sounds like the AddTrust issue?
> However, the CA replaced that certificate in March 2019 with a new
> expiration date of December 31, 2028. Neither the expired or replacement
> certificate appears in the CAfile reported in curl debugging output and
the
> output shows the CApath as none. I tried adding the replacement
certificate
> to CApath, but it still failed to validate. (Stopping and starting the
> server did not make any difference either.)
What TLS library and version are you using? If this is the AddTrust issue,
you
probably see this because you use an older OpenSSL library that didn't
handle
this correctly by default (and curl didn't enable but will in the future
thanks to https://github.com/curl/curl/pull/5530).
> How can I find out where curl got the expired certificate from?
curl shows its paths in the verbose output. There's no other paths involved.
> Is there something more I need to do besides adding the correct
certificate
> to CApath to get curl to use the new certificate?
If we exclude problems with the TLS libraries, no there's nothing else.
-- / daniel.haxx.se | Commercial curl support up to 24x7 is available! | Private help, bug fixes, support, ports, new features | https://www.wolfssl.com/contact/ ----------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users Etiquette: https://curl.haxx.se/mail/etiquette.htmlReceived on 2020-06-07