cURL / Mailing Lists / curl-library / Single Mail


Re: can't verify SSL cert

From: Michael Wood <>
Date: Sat, 21 Feb 2009 12:47:42 +0200

On Sat, Feb 21, 2009 at 12:51 AM, Jay Edgar <> wrote:
>>You used CAPATH so I figure you did configure that dir properly after
> you >put
>>the new cert there? I think you need to update some index somehow.
> Thanks for all the feedback, Daniel. I was surprised as well by the CA's
> response.
> As far as I know the folder the certificates are in have the proper
> permission, and I'll check with my network guy on Monday. I'll also be
> calling Comodo to see if they can offer any assistance.

I think what Daniel means is that it is not sufficient to have a
directory full of CA certs in PEM format. You also need to run some
command to create the right links to those. At least on Linux
(Ubuntu), I have a directory called /etc/ssl/certs containing a .pem
file for each CA cert. In addition, there are links like this:

lrwxrwxrwx 1 root root 31 Jun 27 2008 02b73561.0 ->


i.e. each .pem file has a link called xxxxxxxx.n pointing at it (where
xxxxxxxx is a hexadecimal number and n is an integer).

These links appear to be created by the "c_rehash" command that is
part of OpenSSL.

In addition to the separate .pem files, there is a ca-certificates.crt
file which is just the contents of all the .pem files placed one after
the other.

> I'm suspecting the problem is somewhere between php and curl and maybe
> IIS. I feel like I'm stuck out in left field, since php/IIS/windows is
> not the most normal configuration to run a system with.
> I've never been stuck for so long, and it's pretty old. If anyone on the
> list knows more about curl/php/iis, I'd be most grateful for the help.

See if running "c_rehash C:\path\to\certdir" fixes the problem.

Here's an online copy of the c_rehash manual page:

Michael Wood <>
Received on 2009-02-21