On 4/8/21 2:53 AM, Ray Satiro via curl-library wrote: > On 4/8/2021 12:21 AM, Dennis Clarke via curl-library wrote: >> europa$ >> europa$ curl -4 -L --url 'https://gitlab.com/' -o /dev/null >> % Total % Received % Xferd Average Speed Time Time Time >> Current >> Dload Upload Total Spent Left >> Speed >> 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- >> 0 >> curl: (60) SSL certificate problem: unable to get local issuer >> certificate >> More details here:https://curl.se/docs/sslcerts.html >> >> curl failed to verify the legitimacy of the server and therefore could >> not >> establish a secure connection to it. To learn more about this >> situation and >> how to fix it, please visit the web page mentioned above. >> europa$ >> >> europa$ curl --version >> curl 7.75.0 (x86_64-unknown-freebsd13.0) libcurl/7.75.0 OpenSSL/1.1.1k >> zlib/1.2.11 libidn2/2.3.0 libssh2/1.9.0 >> Release-Date: 2021-02-03 >> Protocols: dict file ftp ftps gopher gophers http https imap imaps mqtt >> pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp >> Features: alt-svc AsynchDNS HTTPS-proxy IDN Largefile libz NTLM NTLM_WB >> SSL TLS-SRP UnixSockets >> europa$ >> >> So I looked into the location where the ssl certs "should" be given my >> curl config : >> >> $ ./configure --prefix=/opt/bw --disable-dependency-tracking \ >> --disable-silent-rules --without-gnu-ld --enable-shared \ >> --enable-static \ >> --with-libidn=/usr/local --with-libidn2=/usr/local \ >> --with-ssl=/opt/bw --with-ca-path=/opt/bw/ssl/certs \ >> --enable-tls-srp --with-libssh2 >> >> So I expect that the cacert.pem file at >> >> https://curl.se/docs/caextract.html >> >> would solve all my problems however : >> >> europa$ ls -lapb/opt/bw/ssl/certs/ >> total 350 >> drwxr-xr-x 2 root wheel 3 Apr 8 02:35 ./ >> drwxr-xr-x 5 root wheel 9 Apr 7 00:14 ../ >> -rw-r--r-- 1 root wheel 208075 Jan 19 04:12 cacert.pem >> europa$ >> >> This does not help at all and even OpenSSL seems confused. > > > What is your curl -V version and the verbose output? Your CA path is > supposed to contain the certificate files named by hash value [1], which > it doesn't.
I just dropped the correct certs into that directory and they are still not found : europa$ grep '89:80:cc:26' /opt/bw/ssl/certs/* /opt/bw/ssl/certs/USERTrust_ECC_Certification_Authority.pem: 5c:8b:99:c5:5a:94:c5:d2:71:56:de:cd:89:80:cc:26 europa$ grep '0e:35:03:2d' /opt/bw/ssl/certs/* /opt/bw/ssl/certs/USERTrust_RSA_Certification_Authority.pem: 01:fd:6d:30:fc:a3:ca:51:a8:1b:bc:64:0e:35:03:2d Those are exactly what is needed. europa$ /opt/bw/bin/curl -V curl 7.75.0 (x86_64-unknown-freebsd13.0) libcurl/7.75.0 OpenSSL/1.1.1k zlib/1.2.11 libidn2/2.3.0 libssh2/1.9.0 Release-Date: 2021-02-03 Protocols: dict file ftp ftps gopher gophers http https imap imaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp Features: alt-svc AsynchDNS HTTPS-proxy IDN Largefile libz NTLM NTLM_WB SSL TLS-SRP UnixSockets europa$ So I should think that the certs are found in that directory now : europa$ /opt/bw/bin/curl -vvvv -4 -L https://gitlab.com/ -o /dev/null % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 172.65.251.78:443... * Connected to gitlab.com (172.65.251.78) port 443 (#0) * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: none * CApath: /opt/bw/ssl/certs } [5 bytes data] * TLSv1.3 (OUT), TLS handshake, Client hello (1): } [512 bytes data] * TLSv1.3 (IN), TLS handshake, Server hello (2): { [122 bytes data] * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): { [25 bytes data] * TLSv1.3 (IN), TLS handshake, Certificate (11): { [4542 bytes data] * TLSv1.3 (OUT), TLS alert, unknown CA (560): } [2 bytes data] * SSL certificate problem: unable to get local issuer certificate 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 * Closing connection 0 curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above. europa$ > Putting a single file with a bundle of certificates in the > path won't help. You can use configure option --with-ca-bundle=FILE. That is exactly what I am going to do. Once a week or so I can check if the cacert bundle has been updated and then otherwise forget about it. > Note your OS may have a packaged and maintained directory containing > certificates or a bundle of certificates, I would use that if you can. > Also see [2] for scanned paths > Yes, I was thinking of that also but felt it should not be black magic to just point to a cacert bundle. > [1]: > https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_load_verify_locations.html > > [2]: https://github.com/curl/curl/blob/curl-7_76_0/acinclude.m4#L2182-L2192 Thank you and I will look over all of that. -- Dennis Clarke RISC-V/SPARC/PPC/ARM/CISC UNIX and Linux spoken GreyBeard and suspenders optional ------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html
