Hi Kamil,

I download cacert.pem file from http://curl.haxx.se/docs/caextract.html,
then I run:
$ curl --cacert cacert.pem https://bugzilla.mozilla.org

   curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

I got the same output just as the PEM file I generated.
So what's the problem?

Thanks,
Xufeng Zhang

At 2010-12-09 18:46:11£¬"Kamil Dudka" <kdudka_at_redhat.com> wrote:

>On Thursday 09 December 2010 11:04:40 ÕÅÐ÷·å wrote:
>> I'm not sure about how to use curl with nss support.
>
>The natural way for NSS is to go through NSS database. You can specify its
>path by the environment variable SSL_DIR. You need to load your certificates
>into NSS database using certutil. Another way is to load PEM
>certificates/keys directly by curl. It, however, requires you to have a PEM
>reader PKCS11 module, which has not been accepted by NSS upstream yet:
>
>https://bugzilla.mozilla.org/show_bug.cgi?id=402712
>
>> >What are the problems?
>>
>> Can't access https:// through CA.
>>
>> >> Version
>> >> --------------
>> >> $ curl -V
>> >> curl 7.20.0 (i686-target-linux-gnu) libcurl/7.20.0 NSS/3.12.4.5
>> >> zlib/1.2.5 libidn/0.6.5 Protocols: dict file ftp ftps http https imap
>> >> imaps pop3 pop3s rtsp smtp smtps telnet tftp Features: IDN IPv6
>> >> Largefile SSL libz
>> >
>> >What distribution are you using? Are the packages provided by your
>> > distro?
>>
>> $ uname -a
>> Linux localhost 2.6.34.7 #1 PREEMPT Mon Dec 6 19:39:02 CST 2010 i686
>> i686 i386 GNU/Linux
>
>It does not say much about the distribution. But it is likely not Fedora
>nor RHEL, which means you probably don't have the PEM reader installed on
>your system by default.
>
>> curl+nss is base on cross-compiling building.
>>
>> >> NSS database is in '/etc/pki/nssdb' directory.
>> >> When I run certutil, the output is:
>> >> $ certutil -L -d /etc/pki/nssdb/
>> >> Certificate Nickname Trust
>> >> Attributes SSL,S/MIME,JAR/XPI I don't know why there is no nickname
>> >> output.
>> >
>> >If you have working Firefox, you can try to point curl to its database by
>> >setting $SSL_DIR.
>>
>> Firefox is not installed.
>> If I have set $SSL_DIR, then how to use it?
>> $ curl -E -X GET https://bugzilla.redhat.com ?
>> can't woks.
>
>export SSL_DIR=/path/to/your/database
>
>> >> I also find there is a Makefile in '/usr/lib/ssl/certs' directory, which
>> >> can be used to generate PEM format CA. So I run 'make cacert.pem' and it
>> >> is created.
>> >> Lastly when I using curl with this CA:
>> >> $ curl --cacert ./cacert.pem -X GET https://bugzilla.redhat.com
>> >> Segmentation fault
>> >
>> >If you are able to repeat the crash with the latest curl/nss, please
>> > attach the certificate that causes the crash. What does the following
>> > command say?
>> >
>> >$ openssl x509 -in ./cacert.pem -noout -text
>>
>> If use as below, then there is no crash:
>> $ curl --cert ./cacert.pem -X GET https://bugzilla.redhat.com
>> curl: (77) Problem with the SSL CA cert (path? access rights?)
>
>You can't supply CA as client certificate. I'll try to reproduce the crash
>myself. Please give me some steps to reproduce.
>
>Kamil

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2010-12-10