Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: cacerts download is a bit sideways on Ubuntu
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Ray Satiro via curl-library <curl-library_at_cool.haxx.se>
Date: Mon, 11 Jan 2021 03:22:09 -0500
On 1/11/2021 2:48 AM, Jeffrey Walton via curl-library wrote:
> On Mon, Jan 11, 2021 at 2:35 AM Daniel Stenberg<daniel_at_haxx.se> wrote:
>> On Mon, 11 Jan 2021, Jeffrey Walton via curl-library wrote:
>>
>>> $ lsb_release -a
>>> Distributor ID: Ubuntu
>>> Description: Ubuntu 20.04.1 LTS
>>> Release: 20.04
>>> Codename: focal
>>>
>>> $ command -v wget
>>> /usr/bin/wget
>>>
>>> $ wget -O cacert.pem 'https://curl.haxx.se/ca/cacert.pem'
>>> Unable to locally verify the issuer's authority.
>> The cert is used by Fastly for a vast amount of servers so you'll likely to
>> have widespread issues when it doesn't work.
> When I visit cURL's site in a browser, the CA used is Let's Encrypt
> (and not GlobalSign).
>
>> Finally: that URL is the old one anyway, get the bundle from the current URL
>> and you'll see that it is signed by anoter cert:https://curl.se/ca/cacert.pem
> OK, thanks. This did not help.
>
>> I tested the same on Ubuntu 18.04 with the shipped curl version there and it
>> works fine.
> Yeah, I updated from 18.04 to 20.04 last week. 18.04 did not have
> troubles. I think today is the first time I ran the script under
> 20.02.
>
> I can give you remote access if you are interested in duplicating it.
> I need your authorized_keys.
I'm using 16 LTS and I can't reproduce either. Try openssl
owner_at_ubuntu1604-x64-vm:~$ debsums ca-certificates | grep -i globalsign
/usr/share/ca-certificates/mozilla/GlobalSign_ECC_Root_CA_-_R4.crt OK
/usr/share/ca-certificates/mozilla/GlobalSign_ECC_Root_CA_-_R5.crt OK
/usr/share/ca-certificates/mozilla/GlobalSign_Root_CA.crt OK
/usr/share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R2.crt OK
/usr/share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R3.crt OK
/usr/share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R6.crt OK
owner_at_ubuntu1604-x64-vm:~$ SSL_CERT_DIR="" openssl s_client -connect
curl.haxx.se:443 -servername curl.haxx.se -CAfile
/usr/share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R3.crt <
/dev/null | grep "Verify return code"
depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Atlas R3 DV TLS CA
2020
verify return:1
depth=0 CN = *.haxx.se
verify return:1
DONE
Verify return code: 0 (ok)
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
Received on 2021-01-11
Date: Mon, 11 Jan 2021 03:22:09 -0500
On 1/11/2021 2:48 AM, Jeffrey Walton via curl-library wrote:
> On Mon, Jan 11, 2021 at 2:35 AM Daniel Stenberg<daniel_at_haxx.se> wrote:
>> On Mon, 11 Jan 2021, Jeffrey Walton via curl-library wrote:
>>
>>> $ lsb_release -a
>>> Distributor ID: Ubuntu
>>> Description: Ubuntu 20.04.1 LTS
>>> Release: 20.04
>>> Codename: focal
>>>
>>> $ command -v wget
>>> /usr/bin/wget
>>>
>>> $ wget -O cacert.pem 'https://curl.haxx.se/ca/cacert.pem'
>>> Unable to locally verify the issuer's authority.
>> The cert is used by Fastly for a vast amount of servers so you'll likely to
>> have widespread issues when it doesn't work.
> When I visit cURL's site in a browser, the CA used is Let's Encrypt
> (and not GlobalSign).
>
>> Finally: that URL is the old one anyway, get the bundle from the current URL
>> and you'll see that it is signed by anoter cert:https://curl.se/ca/cacert.pem
> OK, thanks. This did not help.
>
>> I tested the same on Ubuntu 18.04 with the shipped curl version there and it
>> works fine.
> Yeah, I updated from 18.04 to 20.04 last week. 18.04 did not have
> troubles. I think today is the first time I ran the script under
> 20.02.
>
> I can give you remote access if you are interested in duplicating it.
> I need your authorized_keys.
I'm using 16 LTS and I can't reproduce either. Try openssl
owner_at_ubuntu1604-x64-vm:~$ debsums ca-certificates | grep -i globalsign
/usr/share/ca-certificates/mozilla/GlobalSign_ECC_Root_CA_-_R4.crt OK
/usr/share/ca-certificates/mozilla/GlobalSign_ECC_Root_CA_-_R5.crt OK
/usr/share/ca-certificates/mozilla/GlobalSign_Root_CA.crt OK
/usr/share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R2.crt OK
/usr/share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R3.crt OK
/usr/share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R6.crt OK
owner_at_ubuntu1604-x64-vm:~$ SSL_CERT_DIR="" openssl s_client -connect
curl.haxx.se:443 -servername curl.haxx.se -CAfile
/usr/share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R3.crt <
/dev/null | grep "Verify return code"
depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Atlas R3 DV TLS CA
2020
verify return:1
depth=0 CN = *.haxx.se
verify return:1
DONE
Verify return code: 0 (ok)
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
Received on 2021-01-11