Menu
I am getting the following error trying to connect to a specific https website using LWP:
LWP::Protocol::https::Socket: SSL connect attempt failed with unknown errorerror:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed at /usr/local/share/perl/5.14.2/LWP/Protocol/http.pm line 51.
I tried with wget and got:
ERROR: cannot verify [domain]'s certificate, issued by `/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=********':
Unable to locally verify the issuer's authority.
I googled around and discovered that I probably had to install the godaddy root ca cert. I figured out how to do that (download certificates, put in /usr/share/ca-certificates and run update-ca-certificates). I also learnt how to use openssl s_client in the process.
Now that the certificate is installed, wget works, but LWP still fails with the same error and so does openssl s_client:
# openssl s_client -connect [domain]:443
CONNECTED(00000003)
depth=0 O = [domain], OU = Domain Control Validated, CN = [domain]
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 O = [domain], OU = Domain Control Validated, CN = [domain]
verify error:num=27:certificate not trusted
verify return:1
depth=0 O = [domain], OU = Domain Control Validated, CN = [domain]
verify error:num=21:unable to verify the first certificate
verify return:1
I have no idea where to go next to get this working. Any suggestions?
EDIT: SOLVED Here is a simple script that describes what worked after mikew's suggestion:
#!/usr/bin/perl
use LWP::UserAgent;
$URL="[domain]";
my $ua = LWP::UserAgent->new(ssl_opts => { SSL_ca_path=>'/etc/ssl/certs'});
my $response = $ua->get($URL);
253
Import the certificate into the local computer storeIn the Open box, type mmc, and then select OK. On the File menu, select Add/Remove snap-in. In the Add/Remove Snap-in dialog box, select Add. In the Add Standalone Snap-in dialog box, select Certificates, and then select Add.
The default location to install certificates is /etc/ssl/certs . This enables multiple services to use the same certificate without overly complicated file permissions. For applications that can be configured to use a CA certificate, you should also copy the /etc/ssl/certs/cacert.
For a more specific answer, we'd need to know how you are instantiating your LWP object.
But what you probably need to know about is the SSL_ca_file and SSL_ca_path options for ssl_opts in the LWP constructor. Without one of these set, it assumes the Mozilla_CA is the CA to to use to verify websites.
See LWP::Protocol::https
And LWP::UserAgent, ssl_opts constructor option.
If you are using something like lwp-download and not actually instantiating the LWP::UserAgent object yourself, then you need to set the PERL_LWP_SSL_CA_FILE environment variable to point to your certificate authority or set PERL_LWP_SSL_CA_PATH to your CA path. You can just set these instead of passing in to ssl_opts as well.
If you aren't particularly worried about doing all this verification and like to live dangerously, you can set verify_hostname => 0 for ssl_opts or set PERL_LWP_VERIFY_HOSTNAME environment variable to 0.
And as noted in the documentation, LWP 5.837 and earlier had verify_hostname off by default, whereas later versions default to it being on
138
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
