curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: difficulties with SSL certs

From: Ray Satiro via curl-library <curl-library_at_cool.haxx.se>
Date: Thu, 8 Apr 2021 02:53:47 -0400

On 4/8/2021 12:21 AM, Dennis Clarke via curl-library wrote:
> europa$
> europa$ curl -4 -L --url 'https://gitlab.com/' -o /dev/null
> % Total % Received % Xferd Average Speed Time Time Time
> Current
> Dload Upload Total Spent Left
> Speed
> 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:--
> 0
> curl: (60) SSL certificate problem: unable to get local issuer certificate
> More details here:https://curl.se/docs/sslcerts.html
>
> curl failed to verify the legitimacy of the server and therefore could not
> establish a secure connection to it. To learn more about this situation and
> how to fix it, please visit the web page mentioned above.
> europa$
>
> europa$ curl --version
> curl 7.75.0 (x86_64-unknown-freebsd13.0) libcurl/7.75.0 OpenSSL/1.1.1k
> zlib/1.2.11 libidn2/2.3.0 libssh2/1.9.0
> Release-Date: 2021-02-03
> Protocols: dict file ftp ftps gopher gophers http https imap imaps mqtt
> pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
> Features: alt-svc AsynchDNS HTTPS-proxy IDN Largefile libz NTLM NTLM_WB
> SSL TLS-SRP UnixSockets
> europa$
>
> So I looked into the location where the ssl certs "should" be given my
> curl config :
>
> $ ./configure --prefix=/opt/bw --disable-dependency-tracking \
> --disable-silent-rules --without-gnu-ld --enable-shared \
> --enable-static \
> --with-libidn=/usr/local --with-libidn2=/usr/local \
> --with-ssl=/opt/bw --with-ca-path=/opt/bw/ssl/certs \
> --enable-tls-srp --with-libssh2
>
> So I expect that the cacert.pem file at
>
> https://curl.se/docs/caextract.html
>
> would solve all my problems however :
>
> europa$ ls -lapb/opt/bw/ssl/certs/
> total 350
> drwxr-xr-x 2 root wheel 3 Apr 8 02:35 ./
> drwxr-xr-x 5 root wheel 9 Apr 7 00:14 ../
> -rw-r--r-- 1 root wheel 208075 Jan 19 04:12 cacert.pem
> europa$
>
> This does not help at all and even OpenSSL seems confused.


What is your curl -V version and the verbose output? Your CA path is
supposed to contain the certificate files named by hash value [1], which
it doesn't. Putting a single file with a bundle of certificates in the
path won't help. You can use configure option --with-ca-bundle=FILE.
Note your OS may have a packaged and maintained directory containing
certificates or a bundle of certificates, I would use that if you can.
Also see [2] for scanned paths

[1]:
https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_load_verify_locations.html
[2]: https://github.com/curl/curl/blob/curl-7_76_0/acinclude.m4#L2182-L2192

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
Received on 2021-04-08