You are not logged in.
- Topics: Active | Unanswered
#1 2011-12-05 13:54:38
- synthead
- Member
- Registered: 2006-05-09
- Posts: 1,337
Valid SSL certificate (served by httpd) being reported invalid by cURL
I have a SSL cert and key installed on my webserver that properly resolves to the URL it's served on. When browsing it in chromium, the SSL connection is valid and works fine without warnings, but with cURL, it has issues. This certificate was signed by a trusted CA authority, GoDaddy, and ca-certificates 20111025-2 contains the proper .crt to properly authenticate it, which is proven by getting a good SSL handshake with chromium.
Here's what cURL has to say:
$ curl https://-censored- -v
* About to connect() to -censored- port 443 (#0)
* Trying -censored-... connected
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
* Closing connection #0
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.Why am I getting this error?
Last edited by synthead (2011-12-05 13:55:08)
Offline
#2 2011-12-05 16:35:18
- eldragon
- Member
- From: Buenos Aires
- Registered: 2008-11-18
- Posts: 1,029
Re: Valid SSL certificate (served by httpd) being reported invalid by cURL
read http://curl.haxx.se/docs/sslcerts.html
there might be a packing error. or a bug in curl, or you dont have ca-certificates installed.
since it was built with
--with-ca-bundle=/etc/ssl/certs/ca-certificates.crtthere is a thread to pull from.
Offline
#3 2011-12-05 18:25:26
- synthead
- Member
- Registered: 2006-05-09
- Posts: 1,337
Re: Valid SSL certificate (served by httpd) being reported invalid by cURL
So I brought up my webserver in Chromium, clicked on the green lock by the URL, clicked certificate information, went to the Details tab, and clicked Export. Then, I saved the certificate to a temporary location, and found that its contents were in /etc/ssl/certs/ca-certificates.crt. So cURL and Chromium are using the same certificate to validate my webserver's certificate, except Chromium says it's okay while cURL says it isn't. 
Offline