cURL says certificate is expired, Firefox disagrees

Question

I'm trying to access an internal site via cURL (which I could access several days ago). However, cURL gives the error curl: (60) SSL certificate problem: certificate has expired. If I use openssl to check the start and end dates of the certificate, it gives a timeframe that I'm well within:

echo | openssl s_client -connect internalsite.example.com:443 2>/dev/null | openssl x509 -noout -dates
notBefore=Nov 30 00:00:00 2012 GMT
notAfter=Mar 30 12:00:00 2016 GMT
# For reference, the day I'm posting this is July 30th, 2014

Additionally, if I use cURL on a different computer, or connect via the browser (Firefox, Chrome, or IE), I can connect without error.

Also, I'm unable to connect with any version of cURL on my own computer; this includes cURL in Cygwin and cURL on Ubuntu inside a virtual machine, as well as the Windows version.

What might give rise to this behaviour?

Answer 1

Your cert bundle is probably out of date.

You can get one that's maintained by the curl developers at http://curl.haxx.se/ca/cacert.pem

To use it:

<?
$ch = curl_init("http://example.com");
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_CAINFO, '/path/to/cacert.pem');
$response = curl_exec($ch);

Answer 2

My curl is using the certificate bundle stored in:

/etc/ssl/certs/ca-certificates.crt

I've had this problem in the past, and I fixed it by looking at a machine where curl was working and comparing the .crt files from those two machines, and copying the missing certificate over.

I just had this problem again, and I fixed it this time by just copying the entire file over from the newer machine (a more recent Ubuntu install----the machine where I have the problem is ancient).

And it worked.