Re: cacerts download is a bit sideways on Ubuntu

Mon, 11 Jan 2021 00:28:55 -0800 

On 1/11/2021 2:48 AM, Jeffrey Walton via curl-library wrote:

On Mon, Jan 11, 2021 at 2:35 AM Daniel Stenberg<dan...@haxx.se>  wrote:

On Mon, 11 Jan 2021, Jeffrey Walton via curl-library wrote:


$ lsb_release -a
Distributor ID:    Ubuntu
Description:    Ubuntu 20.04.1 LTS
Release:    20.04
Codename:    focal

$ command -v wget
/usr/bin/wget

$ wget -O cacert.pem 'https://curl.haxx.se/ca/cacert.pem'
  Unable to locally verify the issuer's authority.

The cert is used by Fastly for a vast amount of servers so you'll likely to
have widespread issues when it doesn't work.

When I visit cURL's site in a browser, the CA used is Let's Encrypt
(and not GlobalSign).


Finally: that URL is the old one anyway, get the bundle from the current URL
and you'll see that it is signed by anoter cert:https://curl.se/ca/cacert.pem

OK, thanks. This did not help.


I tested the same on Ubuntu 18.04 with the shipped curl version there and it
works fine.

Yeah, I updated from 18.04 to 20.04 last week. 18.04 did not have
troubles. I think today is the first time I ran the script under
20.02.

I can give you remote access if you are interested in duplicating it.
I need your authorized_keys.



I'm using 16 LTS and I can't reproduce either. Try openssl

owner@ubuntu1604-x64-vm:~$ debsums ca-certificates | grep -i globalsign
/usr/share/ca-certificates/mozilla/GlobalSign_ECC_Root_CA_-_R4.crt OK
/usr/share/ca-certificates/mozilla/GlobalSign_ECC_Root_CA_-_R5.crt OK
/usr/share/ca-certificates/mozilla/GlobalSign_Root_CA.crt OK
/usr/share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R2.crt OK
/usr/share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R3.crt OK
/usr/share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R6.crt OK
owner@ubuntu1604-x64-vm:~$ SSL_CERT_DIR="" openssl s_client -connect curl.haxx.se:443 -servername curl.haxx.se -CAfile /usr/share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R3.crt < /dev/null | grep "Verify return code" 
depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Atlas R3 DV TLS CA 2020 
verify return:1
depth=0 CN = *.haxx.se
verify return:1
DONE
    Verify return code: 0 (ok)


-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:   https://curl.se/mail/etiquette.html

Reply via email to