curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

difficulties with SSL certs

From: Dennis Clarke via curl-library <curl-library_at_cool.haxx.se>
Date: Thu, 8 Apr 2021 04:21:04 +0000

This is likely a problem with OpenSSL and not curl but regardless I was
surprised to see :


europa$
europa$ curl -4 -L --url 'https://gitlab.com/' -o /dev/null
  % Total % Received % Xferd Average Speed Time Time Time
Current
                                 Dload Upload Total Spent Left
Speed
  0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:--
    0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
europa$

europa$ curl --version
curl 7.75.0 (x86_64-unknown-freebsd13.0) libcurl/7.75.0 OpenSSL/1.1.1k
zlib/1.2.11 libidn2/2.3.0 libssh2/1.9.0
Release-Date: 2021-02-03
Protocols: dict file ftp ftps gopher gophers http https imap imaps mqtt
pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS HTTPS-proxy IDN Largefile libz NTLM NTLM_WB
SSL TLS-SRP UnixSockets
europa$

So I looked into the location where the ssl certs "should" be given my
curl config :

$ ./configure --prefix=/opt/bw --disable-dependency-tracking \
 --disable-silent-rules --without-gnu-ld --enable-shared \
 --enable-static \
 --with-libidn=/usr/local --with-libidn2=/usr/local \
 --with-ssl=/opt/bw --with-ca-path=/opt/bw/ssl/certs \
 --enable-tls-srp --with-libssh2

So I expect that the cacert.pem file at

    https://curl.se/docs/caextract.html

would solve all my problems however :

europa$ ls -lapb /opt/bw/ssl/certs/
total 350
drwxr-xr-x 2 root wheel 3 Apr 8 02:35 ./
drwxr-xr-x 5 root wheel 9 Apr 7 00:14 ../
-rw-r--r-- 1 root wheel 208075 Jan 19 04:12 cacert.pem
europa$

This does not help at all and even OpenSSL seems confused.

So I try to debug this with the s_client sub-command and see something
obvious right away :


europa# /opt/bw/bin/openssl s_client -4 -showcerts -connect gitlab.com:443
CONNECTED(00000003)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST
Network, CN = USERTrust RSA Certification Authority
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo
Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 CN = gitlab.com
verify return:1
---
Certificate chain
 0 s:CN = gitlab.com
   i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited,
CN = Sectigo RSA Domain Validation Secure Server CA
-----BEGIN CERTIFICATE-----
MIIGBzCCBO+gAwIBAgIQP8Jvo234xjti44c2dq2FnDANBgkqhkiG9w0BAQsFADCB
jzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQD
.
.
.
etc etc etc
The "unable to get local issuer certificate" is the problem.
However the default FreeBSD system openssl here seems to have no issues:
CONNECTED(00000004)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST
Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo
Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 CN = gitlab.com
verify return:1
---
Certificate chain
 0 s:CN = gitlab.com
   i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited,
CN = Sectigo RSA Domain Validation Secure Server CA
-----BEGIN CERTIFICATE-----
MIIGBzCCBO+gAwIBAgIQP8Jvo234xjti44c2dq2FnDANBgkqhkiG9w0BAQsFADCB
jzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQD
.
.
.
etc etc etc
So there must be a problem with the location of the ssl certs or the
contents of that cacert.pem file. So I dump out all the contents :
openssl crl2pkcs7 -nocrl -certfile /opt/bw/ssl/certs/cacert.pem | \
 openssl pkcs7 -print_certs -text > /var/tmp/dclarke/pile
I think the data I need is in there :
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            5c:8b:99:c5:5a:94:c5:d2:71:56:de:cd:89:80:cc:26
        Signature Algorithm: ecdsa-with-SHA384
        Issuer: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST
Network, CN=USERTrust ECC Certification Authority
        Validity
            Not Before: Feb  1 00:00:00 2010 GMT
            Not After : Jan 18 23:59:59 2038 GMT
        Subject: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST
Network, CN=USERTrust ECC Certification Authority
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (384 bit)
.
.
.etc etc etc
Also this :
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            01:fd:6d:30:fc:a3:ca:51:a8:1b:bc:64:0e:35:03:2d
        Signature Algorithm: sha384WithRSAEncryption
        Issuer: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST
Network, CN=USERTrust RSA Certification Authority
        Validity
            Not Before: Feb  1 00:00:00 2010 GMT
            Not After : Jan 18 23:59:59 2038 GMT
        Subject: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST
Network, CN=USERTrust RSA Certification Authority
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
Those exact serial numbers also exist in the FreeBSD default cert pile :
europa$ ls -la /usr/share/certs/trusted/USERTrust_*
-r--r--r--  1 root  wheel  3238 Apr  4 03:34
/usr/share/certs/trusted/USERTrust_ECC_Certification_Authority.pem
-r--r--r--  1 root  wheel  7669 Apr  4 03:34
/usr/share/certs/trusted/USERTrust_RSA_Certification_Authority.pem
europa$
I checked them.
So I am baffled.  What do I need in the SSL certs directory for both
OpenSSL and curl to be happy ?  Is this an OpenSSL question and not
really a curl question ?
-- 
Dennis Clarke
RISC-V/SPARC/PPC/ARM/CISC
UNIX and Linux spoken
GreyBeard and suspenders optional
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.se/mail/etiquette.html
Received on 2021-04-08