Questions on SSL Certificates
Date: Wed, 10 Jun 2015 09:02:32 -0400
I am using libcurl in an application that I cross-compile to run on a
Raspberry Pi. I've built libcurl with openssl. When I attempt to generate
an https POST, I get "Peer certificate cannot be authenticated with given
CA certificate." In this case, I'm trying to get my application to talk to
After reading http://curl.haxx.se/docs/sslcerts.html, I tried this: $ sudo
apt-get install ca-certificates, which did appear to install correctly.
But still no change in using libcurl from my application.
I also read somewhere that adding the ca-bundle.crt linked to from
http://curl.haxx.se/docs/caextract.html would solve my problem - no change
after trying that, either.
I don't have a good understanding of certificates or how to work with
them. Here is what I think I know:
- I'm ignoring all of the many search results that describe how to
"self-sign" certificates, because this would apply only if I were getting
this message while trying to connect to a server that no one has ever heard
of before; certificates for Google or other well-known sites I expect to be
included in "standard" certificate bundles.
- I don't want to use curl_easy_setopt(curl, CURLOPT_CAPATH, capath)because
I've never had to use it for my natively-compiled applications (I do often
build libcurl from source, but I've never had to link against an encryption
library that I've built myself, which I did do in this case). Is there a
reason I should reconsider and use this now? I expected that installing
the distribution's ca-certificate bundle would have just worked.
So I have a couple of questions:
- What does the configure option --with-ca-bundle do? Does this just
specify a path to search, or do the certificates actually get included in
library binaries? I'm guessing the former, since the certificates need to
be updated periodically?
- Should I have expected installing the Raspian ca-certificate bundle to
solve this issue? Why wouldn't it work?
Detailed output from libcurl while I try to connect:
* Trying 22.214.171.124...
* Connected to accounts.google.com (126.96.36.199) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection:
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
List admin: http://cool.haxx.se/list/listinfo/curl-library
Received on 2015-06-10