Where to put certificates cacert.pem for cURL?

Question

I'm trying to update rvm on a Debian server :

rvm get stable

but I got the folowing error :

curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here : http://curl.haxx.se/docs/sslcerts.html

I installed this servers about 5 month ago and everything was working fine, but it seems that something changed on the certificate of https://rvm.io

So I managed to download a new bundle certificate (cacert.pem in my user directory) :

wget http://curl.haxx.se/ca/cacert.pem

And try a different command as the official doc says, but with a option for the certificate file to use :

\curl --cacert ./cacert.pem -L https://get.rvm.io | bash -s stable # update to stable

Things moved a bit forward. Unfortunately later on, rvm run again curl during the install process and I got again the same error.

So I was wondering where to put my cacert.pem file to replace theone used by cURL ?

I tried as well other technics : creating a .curlrc file containing cacert = ~/cacert.pem but I got an error : CAfile: cacert.pem CApath: /etc/ssl/certs

So I tried to copy my cacert.pem in /usr/share/ca-certificates/cacert.org and made a sym link in /etc/ssl/certs that point to /usr/share/ca-certificates/cacert.org/cacert.pem

But, when I

rvm get stable

I got the error :

curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here : http://curl.haxx.se/docs/sslcerts.html

I also tried this below, without different result though :

sudo update-ca-certificates -f

So I am wondering where to put my cacert.pem file ?

Answer 1

Ok, I managed to make it works, but I'm not very happy with my solution.

First mistake I was making is that the instruction in the .curlrc file was incorrect. We should use this file the same way we specify options to the "curl" command. So I removed the "equal sign" :

cacert /home/user_me/cacert.pem

With this I was able to make the first part of the command to work :

\curl -L https://get.rvm.io | bash -s stable

The bash part was still failing because rvm was using curl again in root mode.

So I copied my .curlrc file as well into the /root folder.

And it worked ! I could even call the standard rvm command :

rvm get stable

But this is a bit tricky, and I would prefer that curl use my cacert.pem file without all those .curlrc files.

Googling more, I found some usefull information here and here. The first reference has a little mistake : When I read the man page of "sudo update-ca-certificates --fresh" command, I realized the guy was puting his file at wrong place.

You have to put your certificate into /usr/share/ca-certificates folder instead of /usr/local/share/ca-certificates , and then append a line for your certificate into the configuration file /etc/ca-certificates.conf (e.g., “my_ca.crt“). Then you may run your "sudo update-ca-certificates --fresh" command.

Note : If you copy your certificate to the /usr/local/share/ca-certificates instead, then you don't need anymore to modify the /etc/ca-certificates.conf configuration file nor run the "sudo update-ca-certificates --fresh" command.

However in my case, for the first solution (/usr/share/ca-certificates) I got an error when I ran the "sudo update-ca-certificates --fresh" command. As second solution, I tried just to put my certificate into /usr/local/share/ca-certificates. But it didn't work.

So I gave up and I kept my two .curlrc files.

So if anybody could point what I was doing wrong, I would be very grateful.