Download
Browse source Changelog
Documentation
Project   Bug Bounty   Help us   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users Mailing lists Book: Everything curl Video presentations Report a bug Paid support
Development
Autobuilds Code Style Contribute Dashboard Deprecate Internals Release Notes Release Procedure Roadmap Run Tests Security Process Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-users / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

RE: Where did curl find that certificate?

From: Tony Lewis via curl-users <curl-users_at_cool.haxx.se>
Date: Sat, 6 Jun 2020 18:53:49 -0700

> First: note that curl-users is the mailing list for the curl tool.

Sorry about that.

> This sounds like the AddTrust issue?

Yes. Now that I know what I'm looking for, that is precisely the issue I
encountered.

> What TLS library and version are you using?

OpenSSL 1.0.2o 27 Mar 2018

> > Is there something more I need to do besides adding the correct
certificate
> > to CApath to get curl to use the new certificate?
>
> If we exclude problems with the TLS libraries, no there's nothing else.

I'm still unsure why adding the correct certificate to CURLOPT_CAINFO does
not resolve the problem.

While I've been working on this, the ISP appears to have done something to
resolve the problem on the production system. I guess I can just turn off
peer verification on my development system.

Tony
-----Original Message-----
From: Daniel Stenberg [mailto:daniel_at_haxx.se]
Sent: Saturday, June 06, 2020 9:01 AM
To: Tony Lewis via curl-users
Cc: Tony Lewis
Subject: Re: Where did curl find that certificate?

On Sat, 6 Jun 2020, Tony Lewis via curl-users wrote:

First: note that curl-users is the mailing list for the curl tool. For
libcurl
subjects, we have curl-library.

> I am using the curl library in PHP for a WordPress website. Validation of
a
> certificate for a website that I regularly interact with stopped working.
> After a fair amount of debugging I finally discovered that the root
> certificate being used expired on May 30, 2020.

This sounds like the AddTrust issue?

> However, the CA replaced that certificate in March 2019 with a new
> expiration date of December 31, 2028. Neither the expired or replacement
> certificate appears in the CAfile reported in curl debugging output and
the
> output shows the CApath as none. I tried adding the replacement
certificate
> to CApath, but it still failed to validate. (Stopping and starting the
> server did not make any difference either.)

What TLS library and version are you using? If this is the AddTrust issue,
you
probably see this because you use an older OpenSSL library that didn't
handle
this correctly by default (and curl didn't enable but will in the future
thanks to https://github.com/curl/curl/pull/5530).

> How can I find out where curl got the expired certificate from?

curl shows its paths in the verbose output. There's no other paths involved.

> Is there something more I need to do besides adding the correct
certificate
> to CApath to get curl to use the new certificate?

If we exclude problems with the TLS libraries, no there's nothing else. 

-- 
  / daniel.haxx.se | Commercial curl support up to 24x7 is available!
                   | Private help, bug fixes, support, ports, new features
                   | https://www.wolfssl.com/contact/
-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette:   https://curl.haxx.se/mail/etiquette.html
Received on 2020-06-07