curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: cacerts download is a bit sideways on Ubuntu

From: Ray Satiro via curl-library <>
Date: Mon, 11 Jan 2021 03:22:09 -0500

On 1/11/2021 2:48 AM, Jeffrey Walton via curl-library wrote:
> On Mon, Jan 11, 2021 at 2:35 AM Daniel Stenberg<> wrote:
>> On Mon, 11 Jan 2021, Jeffrey Walton via curl-library wrote:
>>> $ lsb_release -a
>>> Distributor ID: Ubuntu
>>> Description: Ubuntu 20.04.1 LTS
>>> Release: 20.04
>>> Codename: focal
>>> $ command -v wget
>>> /usr/bin/wget
>>> $ wget -O cacert.pem ''
>>> Unable to locally verify the issuer's authority.
>> The cert is used by Fastly for a vast amount of servers so you'll likely to
>> have widespread issues when it doesn't work.
> When I visit cURL's site in a browser, the CA used is Let's Encrypt
> (and not GlobalSign).
>> Finally: that URL is the old one anyway, get the bundle from the current URL
>> and you'll see that it is signed by anoter cert:
> OK, thanks. This did not help.
>> I tested the same on Ubuntu 18.04 with the shipped curl version there and it
>> works fine.
> Yeah, I updated from 18.04 to 20.04 last week. 18.04 did not have
> troubles. I think today is the first time I ran the script under
> 20.02.
> I can give you remote access if you are interested in duplicating it.
> I need your authorized_keys.

I'm using 16 LTS and I can't reproduce either. Try openssl

owner_at_ubuntu1604-x64-vm:~$ debsums ca-certificates | grep -i globalsign
/usr/share/ca-certificates/mozilla/GlobalSign_ECC_Root_CA_-_R4.crt OK
/usr/share/ca-certificates/mozilla/GlobalSign_ECC_Root_CA_-_R5.crt OK
/usr/share/ca-certificates/mozilla/GlobalSign_Root_CA.crt OK
/usr/share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R2.crt OK
/usr/share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R3.crt OK
/usr/share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R6.crt OK

owner_at_ubuntu1604-x64-vm:~$ SSL_CERT_DIR="" openssl s_client -connect -servername -CAfile
/usr/share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R3.crt <
/dev/null | grep "Verify return code"
depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Atlas R3 DV TLS CA
verify return:1
depth=0 CN = *
verify return:1
     Verify return code: 0 (ok)

Received on 2021-01-11