Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: difficulties with SSL certs
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Ray Satiro via curl-library <curl-library_at_cool.haxx.se>
Date: Thu, 8 Apr 2021 02:53:47 -0400
On 4/8/2021 12:21 AM, Dennis Clarke via curl-library wrote:
> europa$
> europa$ curl -4 -L --url 'https://gitlab.com/' -o /dev/null
> % Total % Received % Xferd Average Speed Time Time Time
> Current
> Dload Upload Total Spent Left
> Speed
> 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:--
> 0
> curl: (60) SSL certificate problem: unable to get local issuer certificate
> More details here:https://curl.se/docs/sslcerts.html
>
> curl failed to verify the legitimacy of the server and therefore could not
> establish a secure connection to it. To learn more about this situation and
> how to fix it, please visit the web page mentioned above.
> europa$
>
> europa$ curl --version
> curl 7.75.0 (x86_64-unknown-freebsd13.0) libcurl/7.75.0 OpenSSL/1.1.1k
> zlib/1.2.11 libidn2/2.3.0 libssh2/1.9.0
> Release-Date: 2021-02-03
> Protocols: dict file ftp ftps gopher gophers http https imap imaps mqtt
> pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
> Features: alt-svc AsynchDNS HTTPS-proxy IDN Largefile libz NTLM NTLM_WB
> SSL TLS-SRP UnixSockets
> europa$
>
> So I looked into the location where the ssl certs "should" be given my
> curl config :
>
> $ ./configure --prefix=/opt/bw --disable-dependency-tracking \
> --disable-silent-rules --without-gnu-ld --enable-shared \
> --enable-static \
> --with-libidn=/usr/local --with-libidn2=/usr/local \
> --with-ssl=/opt/bw --with-ca-path=/opt/bw/ssl/certs \
> --enable-tls-srp --with-libssh2
>
> So I expect that the cacert.pem file at
>
> https://curl.se/docs/caextract.html
>
> would solve all my problems however :
>
> europa$ ls -lapb/opt/bw/ssl/certs/
> total 350
> drwxr-xr-x 2 root wheel 3 Apr 8 02:35 ./
> drwxr-xr-x 5 root wheel 9 Apr 7 00:14 ../
> -rw-r--r-- 1 root wheel 208075 Jan 19 04:12 cacert.pem
> europa$
>
> This does not help at all and even OpenSSL seems confused.
What is your curl -V version and the verbose output? Your CA path is
supposed to contain the certificate files named by hash value [1], which
it doesn't. Putting a single file with a bundle of certificates in the
path won't help. You can use configure option --with-ca-bundle=FILE.
Note your OS may have a packaged and maintained directory containing
certificates or a bundle of certificates, I would use that if you can.
Also see [2] for scanned paths
[1]:
https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_load_verify_locations.html
[2]: https://github.com/curl/curl/blob/curl-7_76_0/acinclude.m4#L2182-L2192
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
Received on 2021-04-08
Date: Thu, 8 Apr 2021 02:53:47 -0400
On 4/8/2021 12:21 AM, Dennis Clarke via curl-library wrote:
> europa$
> europa$ curl -4 -L --url 'https://gitlab.com/' -o /dev/null
> % Total % Received % Xferd Average Speed Time Time Time
> Current
> Dload Upload Total Spent Left
> Speed
> 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:--
> 0
> curl: (60) SSL certificate problem: unable to get local issuer certificate
> More details here:https://curl.se/docs/sslcerts.html
>
> curl failed to verify the legitimacy of the server and therefore could not
> establish a secure connection to it. To learn more about this situation and
> how to fix it, please visit the web page mentioned above.
> europa$
>
> europa$ curl --version
> curl 7.75.0 (x86_64-unknown-freebsd13.0) libcurl/7.75.0 OpenSSL/1.1.1k
> zlib/1.2.11 libidn2/2.3.0 libssh2/1.9.0
> Release-Date: 2021-02-03
> Protocols: dict file ftp ftps gopher gophers http https imap imaps mqtt
> pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
> Features: alt-svc AsynchDNS HTTPS-proxy IDN Largefile libz NTLM NTLM_WB
> SSL TLS-SRP UnixSockets
> europa$
>
> So I looked into the location where the ssl certs "should" be given my
> curl config :
>
> $ ./configure --prefix=/opt/bw --disable-dependency-tracking \
> --disable-silent-rules --without-gnu-ld --enable-shared \
> --enable-static \
> --with-libidn=/usr/local --with-libidn2=/usr/local \
> --with-ssl=/opt/bw --with-ca-path=/opt/bw/ssl/certs \
> --enable-tls-srp --with-libssh2
>
> So I expect that the cacert.pem file at
>
> https://curl.se/docs/caextract.html
>
> would solve all my problems however :
>
> europa$ ls -lapb/opt/bw/ssl/certs/
> total 350
> drwxr-xr-x 2 root wheel 3 Apr 8 02:35 ./
> drwxr-xr-x 5 root wheel 9 Apr 7 00:14 ../
> -rw-r--r-- 1 root wheel 208075 Jan 19 04:12 cacert.pem
> europa$
>
> This does not help at all and even OpenSSL seems confused.
What is your curl -V version and the verbose output? Your CA path is
supposed to contain the certificate files named by hash value [1], which
it doesn't. Putting a single file with a bundle of certificates in the
path won't help. You can use configure option --with-ca-bundle=FILE.
Note your OS may have a packaged and maintained directory containing
certificates or a bundle of certificates, I would use that if you can.
Also see [2] for scanned paths
[1]:
https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_load_verify_locations.html
[2]: https://github.com/curl/curl/blob/curl-7_76_0/acinclude.m4#L2182-L2192
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
Received on 2021-04-08