I copied the PEM file into /usr/local/share/ca-certificates/ and ran update-ca-certificates, and I verified that the resulting certificate is now included in /etc/ssl/certs/ca-certificates.crt which is the file printed by curl-config --ca. I also verified that the certificate printed by openssl s_client -connect example.com:443 was identical to my PEM file. And yet I continue to get the "error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed" message. This happens even if I use curl's --cacert option as described at http://curl.haxx.se/docs/sslcerts.html to tell it what certificate to use.
It works if I disable certificate verification altogether with curl -k, but I don't want to do that because I'm trying to write a test harness that's supposed to test the SSL properly.
It works fine if I access the same URL in lynx, which normally complains if there are any SSL errors. But I can't just use Lynx for this test harness, unless I can find some way of making Tornado's AsyncHTTPClient use Lynx instead of libcurl. And it doesn't seem to make any sense that installing the self-signed certificate satisfies Lynx but not curl.
I'm using Ubuntu 12.04 LTS in a Vagrant-powered VirtualBox; it has curl 7.22.0. The SSL terminating proxy is nginx/1.3.13 running on the same machine, and the domain name is pointed to 127.0.0.1 by an entry in /etc/hosts.
Any clues on what might be the problem? Thanks.
libcurl performs peer SSL certificate verification by default. This is done by using a CA certificate store that the SSL library can use to make sure the peer's server certificate is valid.
You need to pass the -k or --insecure option to the curl command. This option explicitly allows curl to perform “insecure” SSL connections and transfers. All SSL connections are attempted to be made secure by using the CA certificate bundle installed by default.
If we use cURL
to retrieve a HTTPS
site that is not using a CA-signed certificate, the following problem occurs:
curl https://example.selfip.com curl: (60) SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed More details here: http://curl.haxx.se/docs/sslcerts.html
While we can simply overcome this using the -k
option, there's a safer and lasting solution, i.e.:
Step 1
Identify which directory your OpenSSL
installation uses.
openssl version -d OPENSSLDIR: "/usr/lib/ssl"
Step 2
Change to that directory and list the directory contents. You should see a directory called certs
.
cd /usr/lib/ssl && ls -al
Step 3
Change to that directory.
cd certs
List the directory contents. You should see from the symlinks that the certificates are actually stored in /usr/share/ca-certificates
.
Step 4
Change to /usr/share/ca-certificates
directory and add you self-signed certificate there, (ex: your.cert.name.crt)
Step 5
Change to /etc
directory and edit the file ca-certificates.conf
.
root@ubuntu:# cd /etc root@ubuntu:# nano ca-certificates.conf
Add your.cert.name.crt
to the file (ca-certificates.conf
) and save it.
Last Step:
Execute the program update-ca-certificates –fresh
.
Note: You might like to backup /etc/ssl/certs
before executing the command.
root@ubuntu:# update-ca-certificates --fresh Clearing symlinks in /etc/ssl/certs...done. Updating certificates in /etc/ssl/certs....done. Running hooks in /etc/ca-certificates/update.d....done.
Test with curl on your target HTTPS site and it should work now.
Source
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With