Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Where to put certificates cacert.pem for cURL?

I'm trying to update rvm on a Debian server :

rvm get stable

but I got the folowing error :

curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here : http://curl.haxx.se/docs/sslcerts.html

I installed this servers about 5 month ago and everything was working fine, but it seems that something changed on the certificate of https://rvm.io

So I managed to download a new bundle certificate (cacert.pem in my user directory) :

wget http://curl.haxx.se/ca/cacert.pem

And try a different command as the official doc says, but with a option for the certificate file to use :

\curl --cacert ./cacert.pem -L https://get.rvm.io | bash -s stable # update to stable

Things moved a bit forward. Unfortunately later on, rvm run again curl during the install process and I got again the same error.

So I was wondering where to put my cacert.pem file to replace theone used by cURL ?

I tried as well other technics : creating a .curlrc file containing cacert = ~/cacert.pem but I got an error : CAfile: cacert.pem CApath: /etc/ssl/certs

So I tried to copy my cacert.pem in /usr/share/ca-certificates/cacert.org and made a sym link in /etc/ssl/certs that point to /usr/share/ca-certificates/cacert.org/cacert.pem

But, when I

rvm get stable

I got the error :

curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here : http://curl.haxx.se/docs/sslcerts.html

I also tried this below, without different result though :

sudo update-ca-certificates -f

So I am wondering where to put my cacert.pem file ?

like image 416
Douglas Avatar asked Nov 01 '12 15:11

Douglas


People also ask

How do you add a certificate to curl?

Download and save the self-signed certificate. Tell the Curl client about it with --cacert [file] command-line switch. This parameter tells the Curl to use the specified certificate file to verify the peer. The [file] may contain multiple CA certificates and must be in PEM format.

Where does curl look for certificates?

If you are using the curl command line tool on Windows, curl will search for a CA cert file named "curl-ca-bundle. crt" in these directories and in this order: application's directory. current working directory.


1 Answers

Ok, I managed to make it works, but I'm not very happy with my solution.

First mistake I was making is that the instruction in the .curlrc file was incorrect. We should use this file the same way we specify options to the "curl" command. So I removed the "equal sign" :

cacert /home/user_me/cacert.pem

With this I was able to make the first part of the command to work :

\curl -L https://get.rvm.io | bash -s stable

The bash part was still failing because rvm was using curl again in root mode.

So I copied my .curlrc file as well into the /root folder.

And it worked ! I could even call the standard rvm command :

rvm get stable

But this is a bit tricky, and I would prefer that curl use my cacert.pem file without all those .curlrc files.

Googling more, I found some usefull information here and here. The first reference has a little mistake : When I read the man page of "sudo update-ca-certificates --fresh" command, I realized the guy was puting his file at wrong place.

You have to put your certificate into /usr/share/ca-certificates folder instead of /usr/local/share/ca-certificates , and then append a line for your certificate into the configuration file /etc/ca-certificates.conf (e.g., “my_ca.crt“). Then you may run your "sudo update-ca-certificates --fresh" command.

Note : If you copy your certificate to the /usr/local/share/ca-certificates instead, then you don't need anymore to modify the /etc/ca-certificates.conf configuration file nor run the "sudo update-ca-certificates --fresh" command.

However in my case, for the first solution (/usr/share/ca-certificates) I got an error when I ran the "sudo update-ca-certificates --fresh" command. As second solution, I tried just to put my certificate into /usr/local/share/ca-certificates. But it didn't work.

So I gave up and I kept my two .curlrc files.

So if anybody could point what I was doing wrong, I would be very grateful.

like image 181
Douglas Avatar answered Oct 23 '22 04:10

Douglas