25

I copied the PEM file into /usr/local/share/ca-certificates/ and ran update-ca-certificates, and I verified that the resulting certificate is now included in /etc/ssl/certs/ca-certificates.crt which is the file printed by curl-config --ca. I also verified that the certificate printed by openssl s_client -connect example.com:443 was identical to my PEM file. And yet I continue to get the "error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed" message. This happens even if I use curl's --cacert option as described at http://curl.haxx.se/docs/sslcerts.html to tell it what certificate to use.

It works if I disable certificate verification altogether with curl -k, but I don't want to do that because I'm trying to write a test harness that's supposed to test the SSL properly.

It works fine if I access the same URL in lynx, which normally complains if there are any SSL errors. But I can't just use Lynx for this test harness, unless I can find some way of making Tornado's AsyncHTTPClient use Lynx instead of libcurl. And it doesn't seem to make any sense that installing the self-signed certificate satisfies Lynx but not curl.

I'm using Ubuntu 12.04 LTS in a Vagrant-powered VirtualBox; it has curl 7.22.0. The SSL terminating proxy is nginx/1.3.13 running on the same machine, and the domain name is pointed to 127.0.0.1 by an entry in /etc/hosts.

Any clues on what might be the problem? Thanks.

Silas S. Brown
  • 1,469
  • 1
  • 17
  • 18

1 Answers1

26

If we use cURL to retrieve a HTTPS site that is not using a CA-signed certificate, the following problem occurs:

curl https://example.selfip.com
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html

While we can simply overcome this using the -k option, there's a safer and lasting solution, i.e.:

Step 1
Identify which directory your OpenSSL installation uses.

openssl version -d
OPENSSLDIR: "/usr/lib/ssl"

Step 2
Change to that directory and list the directory contents. You should see a directory called certs.

cd /usr/lib/ssl && ls -al

Step 3
Change to that directory.

cd certs

List the directory contents. You should see from the symlinks that the certificates are actually stored in /usr/share/ca-certificates.

Step 4
Change to /usr/share/ca-certificates directory and add you self-signed certificate there, (ex: your.cert.name.crt)

Step 5
Change to /etc directory and edit the file ca-certificates.conf.

root@ubuntu:# cd /etc
root@ubuntu:# nano ca-certificates.conf

Add your.cert.name.crt to the file (ca-certificates.conf) and save it.

Last Step:

Execute the program update-ca-certificates –fresh.
Note: You might like to backup /etc/ssl/certs before executing the command.

root@ubuntu:# update-ca-certificates --fresh
Clearing symlinks in /etc/ssl/certs...done.
Updating certificates in /etc/ssl/certs....done.
Running hooks in /etc/ca-certificates/update.d....done.

Test with curl on your target HTTPS site and it should work now.

Source

Pedro Lobito
  • 94,083
  • 31
  • 258
  • 268
  • Centos: Install the ca-certificates package: `yum install ca-certificates` Enable the dynamic CA configuration feature: `update-ca-trust force-enable` Add it as a new file to /etc/pki/ca-trust/source/anchors/: `cp foo.crt /etc/pki/ca-trust/source/anchors/` Use command: `update-ca-trust extract` (Thanks https://manuals.gfi.com/en/kerio/connect/content/server-configuration/ssl-certificates/adding-trusted-root-certificates-to-the-server-1605.html) – DarthCaniac Jun 14 '19 at 14:14
  • In my case I also had to add `example.com` to `/etc/hosts`. Posted an answer on it here: https://stackoverflow.com/a/58051724/5153500 – Semih Sezer Sep 22 '19 at 17:32