Download
Browse source Changelog tiny-curl
Documentation
Project   Bug Bounty FAQ   Help us   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Videos Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users Mailing lists Book: Everything curl Video presentations Report a bug Paid support
Development
Autobuilds Code review Code style Contribute Dashboard Deprecate Internals Release Notes Release Procedure Roadmap Run Tests Security Process Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: cacerts download is a bit sideways on Ubuntu

From: Jeffrey Walton via curl-library <curl-library_at_cool.haxx.se>
Date: Mon, 11 Jan 2021 03:49:51 -0500

On Mon, Jan 11, 2021 at 3:25 AM Ray Satiro via curl-library
<curl-library_at_cool.haxx.se> wrote:
>
> On 1/11/2021 2:48 AM, Jeffrey Walton via curl-library wrote:
>
> On Mon, Jan 11, 2021 at 2:35 AM Daniel Stenberg <daniel_at_haxx.se> wrote:
>
> On Mon, 11 Jan 2021, Jeffrey Walton via curl-library wrote:
>
> $ lsb_release -a
> Distributor ID: Ubuntu
> Description: Ubuntu 20.04.1 LTS
> Release: 20.04
> Codename: focal
>
> $ command -v wget
> /usr/bin/wget
>
> $ wget -O cacert.pem 'https://curl.haxx.se/ca/cacert.pem'
> Unable to locally verify the issuer's authority.
>
> The cert is used by Fastly for a vast amount of servers so you'll likely to
> have widespread issues when it doesn't work.
>
> When I visit cURL's site in a browser, the CA used is Let's Encrypt
> (and not GlobalSign).
>
> Finally: that URL is the old one anyway, get the bundle from the current URL
> and you'll see that it is signed by anoter cert: https://curl.se/ca/cacert.pem
>
> OK, thanks. This did not help.
>
> I tested the same on Ubuntu 18.04 with the shipped curl version there and it
> works fine.
>
> Yeah, I updated from 18.04 to 20.04 last week. 18.04 did not have
> troubles. I think today is the first time I ran the script under
> 20.02.
>
> I can give you remote access if you are interested in duplicating it.
> I need your authorized_keys.
>
> I'm using 16 LTS and I can't reproduce either. Try openssl
>
> owner_at_ubuntu1604-x64-vm:~$ debsums ca-certificates | grep -i globalsign
> /usr/share/ca-certificates/mozilla/GlobalSign_ECC_Root_CA_-_R4.crt OK
> /usr/share/ca-certificates/mozilla/GlobalSign_ECC_Root_CA_-_R5.crt OK
> /usr/share/ca-certificates/mozilla/GlobalSign_Root_CA.crt OK
> /usr/share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R2.crt OK
> /usr/share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R3.crt OK
> /usr/share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R6.crt OK
>
> owner_at_ubuntu1604-x64-vm:~$ SSL_CERT_DIR="" openssl s_client -connect curl.haxx.se:443 -servername curl.haxx.se -CAfile /usr/share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R3.crt < /dev/null | grep "Verify return code"
> depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
> verify return:1
> depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Atlas R3 DV TLS CA 2020
> verify return:1
> depth=0 CN = *.haxx.se
> verify return:1
> DONE
> Verify return code: 0 (ok)

OK, so it looks like something was sideways on my Focal system. I'm
guessing it was promiscuous linking. /usr/bin/wget was being runtime
linked with something I built and installed in /usr/local/lib, and
that caused the problem for curl.se (other sites were OK).

Jeff
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
Received on 2021-01-11