curl SSL certificate error: verifcation failed -

please me understand why cannot curl url via https:

i using ubuntu 12.04.5 curl 7.22.0, libcurl 7.22.0 , openssl 1.0.1-4ubuntu5.25

$ curl -v https://www.onevanilla.com/ * connect() www.onevanilla.com port 443 (#0) *   trying 199.83.128.4... connected * set certificate verify locations: *   cafile: none   capath: /etc/ssl/certs * sslv3, tls handshake, client hello (1): * sslv3, tls handshake, server hello (2): * sslv3, tls handshake, cert (11): * sslv3, tls alert, server hello (2): * ssl certificate problem, verify ca cert ok. details: error:14090086:ssl routines:ssl3_get_server_certificate:certificate verify failed * closing connection #0 curl: (60) ssl certificate problem, verify ca cert ok. details: error:14090086:ssl routines:ssl3_get_server_certificate:certificate verify failed 

so try manually cert:

$ openssl s_client -connect www.onevanilla.com:443 </dev/null | sed -ne '/-begin certificate-/,/-end certificate-/p' > /tmp/www.onevanilla.com.pem 

and then:

$ curl -v --cacert /tmp/www.onevanilla.com.pem https://www.onevanilla.com 

but same result:

* connect() www.onevanilla.com port 443 (#0) *   trying 199.83.128.4... connected * set certificate verify locations: *   cafile: /tmp/www.onevanilla.com.pem   capath: /etc/ssl/certs * sslv3, tls handshake, client hello (1): * sslv3, tls handshake, server hello (2): * sslv3, tls handshake, cert (11): * sslv3, tls alert, server hello (2): * ssl certificate problem, verify ca cert ok. details: error:14090086:ssl routines:ssl3_get_server_certificate:certificate verify failed * closing connection #0 curl: (60) ssl certificate problem, verify ca cert ok. details: error:14090086:ssl routines:ssl3_get_server_certificate:certificate verify failed 

i can verify certificate openssl:

$ openssl s_client -host www.onevanilla.com -port 443 -capath /etc/ssl/certs 

and returns verify return code: 0 (ok)

i've run sudo update-ca-certificates --fresh sure, no luck.

so seems me cert valid (not expired, hostname matches cn), can never successful response using curl (unless of course use -k or --insecure options). can please explain?

you've run problem caused long standing issue openssl not handling situations multiple trust path. if report ssllabs you'll see, server provides following chain:

[0] /o=www.onevanilla.com/ou=domain control validated/cn=www.onevanilla.com san=dns:www.onevanilla.com,dns:onevanilla.com [1] /c=us/st=arizona/l=scottsdale/o=godaddy.com, inc./ou=http://certificates.godaddy.com/repository/cn=go daddy secure certification authority/serialnumber=07969287 [2] /c=us/o=the go daddy group, inc./ou=go daddy class 2 certification authority [3] /l=valicert validation network/o=valicert, inc./ou=valicert class 2 policy validation authority/cn=http://www.valicert.com//emailaddress=info@valicert.com 

browsers have included root certificate go daddy class 2 certification authority , can build trust path [0],[1] , root certificate , ignore certificates [2] , [3]. openssl instead ignore certificate [3] because self-signed , therefore should not have been included in chain @ all. attempt verify chain [0],[1],[2] , fail because not find root certificate signing [2]. not attempt verify shorter chain [0],[1] instead.

for more details problem see python urllib2 ssl error , http://kriscience.blogspot.de/2013/03/supporting-trusted-but-untrusted.html , the openssl bug report.

what can do: missing certificate https://certs.godaddy.com/repository/valicert_class2_root.crt , use in --cacert parameter.