High Sierra issues with unsigned SSL certificate and local curl

Question

For several OSX versions, I've been using these tutorials to set up a local development environment, including SSL.

I've also always been able to create dynamic virtual hosts based on the folder structure like this:

# Auto-VirtualHosts with .dev
<VirtualHost *:8080>
  ServerName dev
  ServerAlias *.dev

  CustomLog "/Users/username/Sites/logs/dev-access_log" combinedmassvhost
  ErrorLog "/Users/username/Sites/logs/dev-error_log"

  VirtualDocumentRoot /Users/username/Sites/%-2+
</VirtualHost>
<VirtualHost *:8443>
  ServerName dev
  ServerAlias *.dev
  Include "/Users/username/Sites/ssl/ssl-shared-cert.inc"

  CustomLog "/Users/username/Sites/logs/dev-access_log" combinedmassvhost
  ErrorLog "/Users/username/Sites/logs/dev-error_log"

  VirtualDocumentRoot /Users/username/Sites/%-2+
</VirtualHost>

The included SSL file there is like this:

SSLEngine On
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile "/usr/local/etc/httpd/server.crt"
SSLCertificateKeyFile "/usr/local/etc/httpd/server.key"

And to generate that certificate I run this code:

$ cd /usr/local/etc/httpd
$ openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout server.key -out server.crt

This has always worked okay for me, locally. I can run curl successfully, and especially in WordPress development I can run cron tasks that presumably use curl.

Upon upgrading to High Sierra, I get the following error in WordPress:

There was a problem spawning a call to the WP-Cron system on your site. This means WP-Cron events on your site may not work. The problem was: cURL error 60: SSL certificate problem: self signed certificate

And on the command line, when I run curl to a local HTTPS URL, I get this error:

curl: (60) SSL certificate problem: self signed certificate More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.

I've tried reinstalling all the items from the initial tutorial, but so far nothing has helped. I've also tried installing curl from the Homebrew version instead of the built in, but this didn't seem to have any effect. Is there something known about High Sierra that would make it more picky about this? If so, is there anything I can do to bypass this for local development?

Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Super User](http://superuser.com/) or [Unix & Linux Stack Exchange](http://unix.stackexchange.com/) would be a better place to ask. — jww, Nov 15 '17 at 23:11
***`CN=www.example.com`*** is probably wrong. Hostnames always go in the *SAN*. If its present in the *CN*, then it must be present in the *SAN* too (you have to list it twice in this case). For more rules and reasons, see [How do you sign Certificate Signing Request with your Certification Authority](http://stackoverflow.com/a/21340898/608639) and [How to create a self-signed certificate with openssl?](http://stackoverflow.com/q/10175812/608639) You will also need to place the self-signed certificate in the appropriate trust store. — jww, Nov 15 '17 at 23:12
@jww it is certainly about setting up a local development environment, so I thought it would be okay here. While I don't remember putting in CN=www.example.com, what is confusing me is that it always worked fine, for local development, as a universal SSL on previous OSX versions. Does this mean something has changed in High Sierra? — Jonathan Stegall, Nov 16 '17 at 15:27

Ortomala Lokni · Answer 1 · 2017-11-17T08:05:49.727

3

You have to add your self-signed certificate to the curl CA certificate store.

First you have to generate the ca bundle by running the perl script stored in:

/usr/local/Cellar/curl/7.56.1/libexec/mk-ca-bundle.pl

Edit the generated file:

/usr/local/Cellar/curl/7.56.1/libexec/ca-bundle.crt

and add your self-signed certificate using the same syntax.

You can obtain the certificate with:

openssl s_client -showcerts -connect my.server.com:443

Copy everything from :

-----BEGIN CERTIFICATE-----

to

-----END CERTIFICATE-----

including the BEGIN and ENDlines. Create then a file ~/.curlrc containing:

cacert /usr/local/Cellar/curl/7.56.1/libexec/ca-bundle.crt

edited Nov 17 '17 at 08:05

answered Nov 15 '17 at 21:42

Ortomala Lokni

56,620
24
188
240

I've previously tried adding this to the OSX Keychain Access tool under System, and giving it Always Trust permissions. That seems to be what is going on here? It does not seem to change anything. – Jonathan Stegall Nov 15 '17 at 21:53
What is the output of `which curl`? – Ortomala Lokni Nov 16 '17 at 03:02
`/usr/local/bin/curl` – Jonathan Stegall Nov 16 '17 at 15:28
I've found a solution that I've tested on macOS 10.13.1. It should also works with your environment. – Ortomala Lokni Nov 16 '17 at 22:28
I believe I've done this. When I run `curl https://myurl.dev` it returns this message, which I've not seen before: curl: (77) error setting certificate verify locations: CAfile: /usr/local/Cellar/curl/7.56.1/libexec/ca-bundle.crt CApath: /usr/local/etc/openssl/certs – Jonathan Stegall Nov 17 '17 at 18:38
You have to change `7.56.1` by your curl version number. Does the file `/usr/local/Cellar/curl/7.56.1/libexec/ca-bundle.crt` exists? – Ortomala Lokni Nov 17 '17 at 19:11
Yes, it does. I also did restart the terminal to make sure it could reload, if need be. – Jonathan Stegall Nov 17 '17 at 21:40
What happens if you run `curl --cacert /usr/local/Cellar/curl/7.56.1/libexec/ca-bundle.crt https://your.server`? – Ortomala Lokni Nov 17 '17 at 22:52
Oh, it still gives the same error about setting certificate verify locations. – Jonathan Stegall Nov 20 '17 at 18:09
It's probably because you've made a mistake when you have edited `/usr/local/Cellar/curl/7.56.1/libexec/ca-bundle.crt`. It works well on my machine. – Ortomala Lokni Nov 22 '17 at 18:34

High Sierra issues with unsigned SSL certificate and local curl

1 Answers1