curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: Adding Mozzila CA certificates

From: Timothe Litt <>
Date: Mon, 27 Nov 2023 11:41:23 -0500

On 27-Nov-23 10:03, Luis Carlos Chalaca Figueira via curl-library wrote:
> Hello,
> While developing a crawler I realized that some websites that can be
> displayed by Chrome and Firefox would throw SSL errors on libcurl
> requests
> Exs:
> SSL connect error
> SSL routines::unsafe legacy renegotiation disabled
> SSL peer certificate or SSH remote key was not OK
> Therefore I had the idea of adding the certificates used by firefox to
> prevent that.
> I downloaded the cacert.pem file from
> and added it to the ca store with
> the following commands:
> $ openssl x509 -in cacert-Mozzila.pem -out cacert-Mozzila.crt
> $ sudo cp cacert-Mozzila.crt /usr/local/share/ca-certificates
> $ sudo update-ca-certificates
> However those sites continue to throw dose errors. What have I missed
> to be able to get the same responses as firefox?
Your   openssl x509 command will only extract one certificate from the
bundle.  You don't need it.  cacert.pem is a bundle of many.

copy the downloaded cacert.pem to whatever location and/or name your
distribution needs.  Or symlink from there to your download location.

Note that this doesn't add the bundle to the system default; it replaces
the system default.  To add you need to merge the bundles, which is a
bit more involved.  In most cases, simply using the Mozilla bundle suffices.

As Daniel noted, legacy renegotiation has nothing to do with the ca store.

Timothe Litt
ACM Distinguished Engineer
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.

Received on 2023-11-27