curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Does cURL accept a CA that is not self signed?

From: Jeffrey Walton via curl-library <>
Date: Thu, 28 Nov 2019 13:50:08 -0500

Hi Everyone,

I'm having trouble connecting to a server that uses Let's Encrypt. The
code is below. The error is:

    Error: Failed to download file, error 60, SSL peer
    certificate or SSH remote key was not OK.

The code is below, and the real code performs error checking. The only
failure is the download.

    // Let's Encrypt Authority X3. Looks OK with 'openssl x509'
    const char ca[] = "./letsencrypt-ca.pem";

    curl = curl_easy_init();
    curl_easy_setopt (curl, CURLOPT_URL, url);
    curl_easy_setopt (curl, CURLOPT_CAINFO, ca);
    curl_easy_setopt (curl, CURLOPT_WRITEDATA, fp);

    res = curl_easy_perform(curl);
    if (res != CURLE_OK)
        log_error("Failed to download file, error %d, %s.\n", res,

The only thing I can think of is, cURL does not accept a CA that is
not self signed. If that is the case, is it possible to opt-out of the
RFC 4158 requirement. In OpenSSL the option I want/need is
X509_V_FLAG_PARTIAL_CHAIN. (As far as I know, the only place that
effectively forbids non-self signed CA's is the path building RFC).

Does anyone spot anything out of the ordinary?

Received on 2019-11-28