Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why won't curl recognise a self-signed SSL certificate?

I copied the PEM file into /usr/local/share/ca-certificates/ and ran update-ca-certificates, and I verified that the resulting certificate is now included in /etc/ssl/certs/ca-certificates.crt which is the file printed by curl-config --ca. I also verified that the certificate printed by openssl s_client -connect example.com:443 was identical to my PEM file. And yet I continue to get the "error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed" message. This happens even if I use curl's --cacert option as described at http://curl.haxx.se/docs/sslcerts.html to tell it what certificate to use.

It works if I disable certificate verification altogether with curl -k, but I don't want to do that because I'm trying to write a test harness that's supposed to test the SSL properly.

It works fine if I access the same URL in lynx, which normally complains if there are any SSL errors. But I can't just use Lynx for this test harness, unless I can find some way of making Tornado's AsyncHTTPClient use Lynx instead of libcurl. And it doesn't seem to make any sense that installing the self-signed certificate satisfies Lynx but not curl.

I'm using Ubuntu 12.04 LTS in a Vagrant-powered VirtualBox; it has curl 7.22.0. The SSL terminating proxy is nginx/1.3.13 running on the same machine, and the domain name is pointed to 127.0.0.1 by an entry in /etc/hosts.

Any clues on what might be the problem? Thanks.

like image 729
Silas S. Brown Avatar asked Jul 11 '13 15:07

Silas S. Brown


People also ask

How does curl verify SSL certificate?

libcurl performs peer SSL certificate verification by default. This is done by using a CA certificate store that the SSL library can use to make sure the peer's server certificate is valid.

How do I enable SSL on curl?

You need to pass the -k or --insecure option to the curl command. This option explicitly allows curl to perform “insecure” SSL connections and transfers. All SSL connections are attempted to be made secure by using the CA certificate bundle installed by default.


1 Answers

If we use cURL to retrieve a HTTPS site that is not using a CA-signed certificate, the following problem occurs:

curl https://example.selfip.com curl: (60) SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed More details here: http://curl.haxx.se/docs/sslcerts.html 

While we can simply overcome this using the -k option, there's a safer and lasting solution, i.e.:

Step 1
Identify which directory your OpenSSL installation uses.

openssl version -d OPENSSLDIR: "/usr/lib/ssl" 

Step 2
Change to that directory and list the directory contents. You should see a directory called certs.

cd /usr/lib/ssl && ls -al 

Step 3
Change to that directory.

cd certs 

List the directory contents. You should see from the symlinks that the certificates are actually stored in /usr/share/ca-certificates.

Step 4
Change to /usr/share/ca-certificates directory and add you self-signed certificate there, (ex: your.cert.name.crt)

Step 5
Change to /etc directory and edit the file ca-certificates.conf.

root@ubuntu:# cd /etc root@ubuntu:# nano ca-certificates.conf 

Add your.cert.name.crt to the file (ca-certificates.conf) and save it.

Last Step:

Execute the program update-ca-certificates –fresh.
Note: You might like to backup /etc/ssl/certs before executing the command.

root@ubuntu:# update-ca-certificates --fresh Clearing symlinks in /etc/ssl/certs...done. Updating certificates in /etc/ssl/certs....done. Running hooks in /etc/ca-certificates/update.d....done. 

Test with curl on your target HTTPS site and it should work now.

Source

like image 133
Pedro Lobito Avatar answered Sep 26 '22 16:09

Pedro Lobito