curl SSL certificate error: verifcation failed

Question

Please help me understand why I cannot successfully curl this url via https:

I am using Ubuntu 12.04.5 with curl 7.22.0, libcurl 7.22.0 and OpenSSL 1.0.1-4ubuntu5.25

$ curl -v https://www.onevanilla.com/
* About to connect() to www.onevanilla.com port 443 (#0)
*   Trying 199.83.128.4... connected
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
* Closing connection #0
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

So I try to manually get the cert:

$ openssl s_client -connect www.onevanilla.com:443 </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/www.onevanilla.com.pem

and then:

$ curl -v --cacert /tmp/www.onevanilla.com.pem https://www.onevanilla.com

but I get the same result:

* About to connect() to www.onevanilla.com port 443 (#0)
*   Trying 199.83.128.4... connected
* successfully set certificate verify locations:
*   CAfile: /tmp/www.onevanilla.com.pem
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
* Closing connection #0
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

I can verify the certificate with openssl:

$ openssl s_client -host www.onevanilla.com -port 443 -CApath /etc/ssl/certs

and this returns Verify return code: 0 (ok)

I've also run sudo update-ca-certificates --fresh just to be sure, but no luck.

So it seems to me like the cert is valid (not expired, hostname matches CN), but I can never get a successful response using curl (unless of course I use -k or --insecure options). Can someone please explain?

Answer 1

The curl --cacert <cert> option is used to specify a certificate authority to use to verify the server certificate. The certificate you copied from the s_client output is the server certificate, and using it as as the --cacert argument fails because the server certifiate is not self-signed, but signed by a different certificate authority (in your case, Go Daddy).

Invoke curl with the --capath option to specify the trusted root CA(s). This is analogous to the s_client -CApath <dir> option.

$ curl -v --capath /etc/ssl/certs https://www.onevanilla.com