cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: can't verify SSL cert

From: Michael Wood <esiotrot_at_gmail.com>
Date: Sat, 21 Feb 2009 12:47:42 +0200

On Sat, Feb 21, 2009 at 12:51 AM, Jay Edgar <jedgar_at_qualtim.com> wrote:
>
>>You used CAPATH so I figure you did configure that dir properly after
> you >put
>>the new cert there? I think you need to update some index somehow.
>
> Thanks for all the feedback, Daniel. I was surprised as well by the CA's
> response.
>
> As far as I know the folder the certificates are in have the proper
> permission, and I'll check with my network guy on Monday. I'll also be
> calling Comodo to see if they can offer any assistance.

I think what Daniel means is that it is not sufficient to have a
directory full of CA certs in PEM format. You also need to run some
command to create the right links to those. At least on Linux
(Ubuntu), I have a directory called /etc/ssl/certs containing a .pem
file for each CA cert. In addition, there are links like this:

lrwxrwxrwx 1 root root 31 Jun 27 2008 02b73561.0 ->
Comodo_Secure_Services_root.pem

etc.

i.e. each .pem file has a link called xxxxxxxx.n pointing at it (where
xxxxxxxx is a hexadecimal number and n is an integer).

These links appear to be created by the "c_rehash" command that is
part of OpenSSL.

In addition to the separate .pem files, there is a ca-certificates.crt
file which is just the contents of all the .pem files placed one after
the other.

> I'm suspecting the problem is somewhere between php and curl and maybe
> IIS. I feel like I'm stuck out in left field, since php/IIS/windows is
> not the most normal configuration to run a system with.
>
> I've never been stuck for so long, and it's pretty old. If anyone on the
> list knows more about curl/php/iis, I'd be most grateful for the help.

See if running "c_rehash C:\path\to\certdir" fixes the problem.

Here's an online copy of the c_rehash manual page:
http://www.tin.org/bin/man.cgi?section=1&topic=c_rehash

-- 
Michael Wood <esiotrot_at_gmail.com>
Received on 2009-02-21