This is likely a problem with OpenSSL and not curl but regardless I was surprised to see :
europa$ europa$ curl -4 -L --url 'https://gitlab.com/' -o /dev/null % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above. europa$ europa$ curl --version curl 7.75.0 (x86_64-unknown-freebsd13.0) libcurl/7.75.0 OpenSSL/1.1.1k zlib/1.2.11 libidn2/2.3.0 libssh2/1.9.0 Release-Date: 2021-02-03 Protocols: dict file ftp ftps gopher gophers http https imap imaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp Features: alt-svc AsynchDNS HTTPS-proxy IDN Largefile libz NTLM NTLM_WB SSL TLS-SRP UnixSockets europa$ So I looked into the location where the ssl certs "should" be given my curl config : $ ./configure --prefix=/opt/bw --disable-dependency-tracking \ --disable-silent-rules --without-gnu-ld --enable-shared \ --enable-static \ --with-libidn=/usr/local --with-libidn2=/usr/local \ --with-ssl=/opt/bw --with-ca-path=/opt/bw/ssl/certs \ --enable-tls-srp --with-libssh2 So I expect that the cacert.pem file at https://curl.se/docs/caextract.html would solve all my problems however : europa$ ls -lapb /opt/bw/ssl/certs/ total 350 drwxr-xr-x 2 root wheel 3 Apr 8 02:35 ./ drwxr-xr-x 5 root wheel 9 Apr 7 00:14 ../ -rw-r--r-- 1 root wheel 208075 Jan 19 04:12 cacert.pem europa$ This does not help at all and even OpenSSL seems confused. So I try to debug this with the s_client sub-command and see something obvious right away : europa# /opt/bw/bin/openssl s_client -4 -showcerts -connect gitlab.com:443 CONNECTED(00000003) depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority verify error:num=20:unable to get local issuer certificate verify return:1 depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA verify return:1 depth=0 CN = gitlab.com verify return:1 --- Certificate chain 0 s:CN = gitlab.com i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA -----BEGIN CERTIFICATE----- MIIGBzCCBO+gAwIBAgIQP8Jvo234xjti44c2dq2FnDANBgkqhkiG9w0BAQsFADCB jzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G A1UEBxMHU2FsZm9yZDEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQD . . . etc etc etc The "unable to get local issuer certificate" is the problem. However the default FreeBSD system openssl here seems to have no issues: CONNECTED(00000004) depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority verify return:1 depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA verify return:1 depth=0 CN = gitlab.com verify return:1 --- Certificate chain 0 s:CN = gitlab.com i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA -----BEGIN CERTIFICATE----- MIIGBzCCBO+gAwIBAgIQP8Jvo234xjti44c2dq2FnDANBgkqhkiG9w0BAQsFADCB jzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G A1UEBxMHU2FsZm9yZDEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQD . . . etc etc etc So there must be a problem with the location of the ssl certs or the contents of that cacert.pem file. So I dump out all the contents : openssl crl2pkcs7 -nocrl -certfile /opt/bw/ssl/certs/cacert.pem | \ openssl pkcs7 -print_certs -text > /var/tmp/dclarke/pile I think the data I need is in there : Certificate: Data: Version: 3 (0x2) Serial Number: 5c:8b:99:c5:5a:94:c5:d2:71:56:de:cd:89:80:cc:26 Signature Algorithm: ecdsa-with-SHA384 Issuer: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust ECC Certification Authority Validity Not Before: Feb 1 00:00:00 2010 GMT Not After : Jan 18 23:59:59 2038 GMT Subject: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust ECC Certification Authority Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (384 bit) . . .etc etc etc Also this : Certificate: Data: Version: 3 (0x2) Serial Number: 01:fd:6d:30:fc:a3:ca:51:a8:1b:bc:64:0e:35:03:2d Signature Algorithm: sha384WithRSAEncryption Issuer: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority Validity Not Before: Feb 1 00:00:00 2010 GMT Not After : Jan 18 23:59:59 2038 GMT Subject: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (4096 bit) Those exact serial numbers also exist in the FreeBSD default cert pile : europa$ ls -la /usr/share/certs/trusted/USERTrust_* -r--r--r-- 1 root wheel 3238 Apr 4 03:34 /usr/share/certs/trusted/USERTrust_ECC_Certification_Authority.pem -r--r--r-- 1 root wheel 7669 Apr 4 03:34 /usr/share/certs/trusted/USERTrust_RSA_Certification_Authority.pem europa$ I checked them. So I am baffled. What do I need in the SSL certs directory for both OpenSSL and curl to be happy ? Is this an OpenSSL question and not really a curl question ? -- Dennis Clarke RISC-V/SPARC/PPC/ARM/CISC UNIX and Linux spoken GreyBeard and suspenders optional ------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html
