curl SSL certificate error: verifcation failed -
please me understand why cannot curl url via https:
i using ubuntu 12.04.5 curl 7.22.0, libcurl 7.22.0 , openssl 1.0.1-4ubuntu5.25
$ curl -v https://www.onevanilla.com/ * connect() www.onevanilla.com port 443 (#0) * trying 199.83.128.4... connected * set certificate verify locations: * cafile: none capath: /etc/ssl/certs * sslv3, tls handshake, client hello (1): * sslv3, tls handshake, server hello (2): * sslv3, tls handshake, cert (11): * sslv3, tls alert, server hello (2): * ssl certificate problem, verify ca cert ok. details: error:14090086:ssl routines:ssl3_get_server_certificate:certificate verify failed * closing connection #0 curl: (60) ssl certificate problem, verify ca cert ok. details: error:14090086:ssl routines:ssl3_get_server_certificate:certificate verify failed
so try manually cert:
$ openssl s_client -connect www.onevanilla.com:443 </dev/null | sed -ne '/-begin certificate-/,/-end certificate-/p' > /tmp/www.onevanilla.com.pem
and then:
$ curl -v --cacert /tmp/www.onevanilla.com.pem https://www.onevanilla.com
but same result:
* connect() www.onevanilla.com port 443 (#0) * trying 199.83.128.4... connected * set certificate verify locations: * cafile: /tmp/www.onevanilla.com.pem capath: /etc/ssl/certs * sslv3, tls handshake, client hello (1): * sslv3, tls handshake, server hello (2): * sslv3, tls handshake, cert (11): * sslv3, tls alert, server hello (2): * ssl certificate problem, verify ca cert ok. details: error:14090086:ssl routines:ssl3_get_server_certificate:certificate verify failed * closing connection #0 curl: (60) ssl certificate problem, verify ca cert ok. details: error:14090086:ssl routines:ssl3_get_server_certificate:certificate verify failed
i can verify certificate openssl:
$ openssl s_client -host www.onevanilla.com -port 443 -capath /etc/ssl/certs
and returns verify return code: 0 (ok)
i've run sudo update-ca-certificates --fresh
sure, no luck.
so seems me cert valid (not expired, hostname matches cn), can never successful response using curl (unless of course use -k
or --insecure
options). can please explain?
you've run problem caused long standing issue openssl not handling situations multiple trust path. if report ssllabs you'll see, server provides following chain:
[0] /o=www.onevanilla.com/ou=domain control validated/cn=www.onevanilla.com san=dns:www.onevanilla.com,dns:onevanilla.com [1] /c=us/st=arizona/l=scottsdale/o=godaddy.com, inc./ou=http://certificates.godaddy.com/repository/cn=go daddy secure certification authority/serialnumber=07969287 [2] /c=us/o=the go daddy group, inc./ou=go daddy class 2 certification authority [3] /l=valicert validation network/o=valicert, inc./ou=valicert class 2 policy validation authority/cn=http://www.valicert.com//emailaddress=info@valicert.com
browsers have included root certificate go daddy class 2 certification authority
, can build trust path [0],[1] , root certificate , ignore certificates [2] , [3]. openssl instead ignore certificate [3] because self-signed , therefore should not have been included in chain @ all. attempt verify chain [0],[1],[2] , fail because not find root certificate signing [2]. not attempt verify shorter chain [0],[1] instead.
for more details problem see python urllib2 ssl error , http://kriscience.blogspot.de/2013/03/supporting-trusted-but-untrusted.html , the openssl bug report.
what can do: missing certificate https://certs.godaddy.com/repository/valicert_class2_root.crt , use in --cacert
parameter.
Comments
Post a Comment