11

I am trying to connect to application on localhost which uses SSL. I am using Mac OS X Mavericks. The error I am getting is following: 

Error sending cURL get request to https://dev.site.com:5555/version  
Error code: 60 Error msg: SSL certificate problem: Invalid certificate chain

I tried to add certificates to the chain:

/usr/bin/security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" /etc/path/ca_key.pem

Still getting the same error.

nobody
  • 19,814
  • 17
  • 56
  • 77
dzeno
  • 510
  • 1
  • 5
  • 16

4 Answers4

28

In some cases will be better to use standard curl (eg if you develop on Mac code for Linux or *BSD). In this case you can do like that:

  1. Install Homebrew

  2. Install curl with standard certificates support (no more Keychain certs).

    brew install curl --with-openssl && brew link curl --force

  3. Install root CA certs from http://curl.haxx.se/ca/cacert.pem into /usr/local/etc/openssl/certs/cacert.pem

  4. Add into your ~/.bash_profile

    export CURL_CA_BUNDLE=/usr/local/etc/openssl/certs/cacert.pem

  5. After 4 steps you can use curl with certificates from file, not from Keychain.

Andrey Korchak
  • 2,280
  • 1
  • 18
  • 15
5

--cacert and --cert are broken in OSX Mavericks.

You can read more about it here: https://groups.google.com/forum/#!topic/munki-dev/oX2xUnoQEi4

The workaround is here: http://curl.haxx.se/mail/archive-2013-10/0036.html which indicates that you need to import the certificate as a trusted system cert:

Import the certificate into the system ("System") or user ("login") keychain using Keychain Access and mark it as always trusted for SSL and X.509 basic policy.

brandonscript
  • 68,675
  • 32
  • 163
  • 220
  • 1
    While Safari is recognizing [my certificate](https://sbarnea.com) without any problems, curl still doesn't work. Do you know a command line approach that could be used to automate the import process (Safari does not allow me to save the certificate in KeyChain) – sorin Jan 13 '14 at 12:25
  • Safari doesn't allow you to import it, but you should be able to import it directly into the System KeyChain. – brandonscript Jan 13 '14 at 16:22
  • I can't get to your workaround link because of this very issue with my cert chain. – jschmitter Jan 15 '19 at 17:38
  • I quoted the pertinent bits. Import the cert into your system or login keychain and mark it as trusted - you then may need to restart the browser. That said... if you're unable to trust a public cert, that sounds like a different problem altogether. – brandonscript Jan 15 '19 at 17:42
4

There are two things you can do:

(1) Convert the .pem certificate to .p12:

openssl pkcs12 -export -out my_certificate.p12 -inkey my_certificate.pem -in my_certificate.pem`

and use it with curl with the PASSWORD you pick when converting:

curl --cert my_certificate.p12:PASSWORD.

(2) Drag the .pem file into your keychain, open the infopane, set it to 'always trust' for SSL and X.509, and note the COMMON-NAME. (name of certificate)

curl --cert COMMON-NAME

Both work for me on OSX 10.9 with cURL 7.35.0

Bart
  • 863
  • 8
  • 19
2

The option --with-openssl no longer works as of https://github.com/Homebrew/homebrew-core/pull/36263

Just install curl-openssl instead of curl.

$ brew install curl-openssl

$ /usr/local/opt/curl-openssl/bin/curl --version
curl 7.64.1 (x86_64-apple-darwin18.2.0) libcurl/7.64.1 OpenSSL/1.0.2r zlib/1.2.11 brotli/1.0.7 c-ares/1.15.0 libssh2/1.8.2 nghttp2/1.38.0 librtmp/2.3
Release-Date: 2019-03-27
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS brotli GSS-API HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz Metalink NTLM NTLM_WB SPNEGO SSL TLS-SRP UnixSockets
Chris W
  • 21
  • 1