17

I'm developing a program where I have a virtual development server that runs with a self signed certificate. My program uses curl to connect to the server and pull information, but needs to do so with SSL. When I try to connect I get the error "SSL certificate problem, verify that the CA cert is OK." When running firefox I can add the certificate to just firefox, but that doesn't help me with curl. How do I add the certificate for curl to recognize?

curl 7.19.7 (x86_64-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15 Protocols: tftp ftp telnet dict ldap ldaps http file https ftps Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz

Ubuntu 10.04 Lucid Lynx 64bit

Andrew Redd
  • 4,632
  • 8
  • 40
  • 64
  • 2
    [cURL: Adding/Installing/Trusting New Self-Signed Certificate](http://turboflash.wordpress.com/2009/06/23/curl-adding-installing-trusting-new-self-signed-certificate/) – Elnur Abdurrakhimov Oct 25 '12 at 07:04
  • Also see [Use self signed certificate with cURL?](https://stackoverflow.com/q/27611193/608639) It is a good, canonical answer. Daniel Stenberg, the author of cURL, answered the question. – jww Mar 03 '18 at 17:38
  • That blog moved. Here's the new URL: [cURL: Adding/Installing/Trusting N Self-Signed Certificate](https://interest.richieteo.com/2009/06/23/curl-adding-installing-trusting-new-self-signed-certificate/) – Devon_C_Miller Jun 17 '22 at 12:23

4 Answers4

17

This is one way that worked for me:

First, get the CA cert from the development domain and save it to a file called 'logfile'. (Assumes port 443 for SSL)

openssl s_client -connect xxxxx.com:443 |tee logfile

Then, use the --cacert curl option to use the saved certificate file. 

curl --cacert logfile **THE REST OF YOUR CURL COMMAND**

Source: http://curl.haxx.se/docs/sslcerts.html

Curt
  • 1,394
  • 9
  • 16
  • This doesn't work for me. Mind trying on a current version of curl? Also, knowing what commands you used to generate the key may be useful. – coolaj86 Jul 15 '14 at 00:23
  • Worked for me using curl version curl 7.81.0 (Release-Date: 2022-01-05) – bczoma Mar 02 '22 at 16:01
15

I'd copy the certificate to /usr/local/share/ca-certificates/.

Let me quote the man page for update-ca-certificates:

Furthermore all certificates with a .crt extension found below /usr/local/share/ca-certificates are also included as implicitly trusted.

StephenKing
  • 36,187
  • 11
  • 83
  • 112
user5286165
  • 151
  • 1
  • 2
9

Add your rootCA.pem in /usr/share/ca-certificates directory.

After that update your certificates with: update-ca-certificates --fresh command.

I just did that, and works fine.

Ondra Žižka
  • 43,948
  • 41
  • 217
  • 277
Bruno Soares
  • 756
  • 5
  • 6
  • 5
    This would also require appending cert part to `/etc/ca-certificates.conf`, but you shouldn't do that, because it's autogenerated. Add the root PEM file to `/usr/local/share/ca-certificates` instead. – gronostaj Sep 28 '18 at 10:24
2

First, in your Linux, you should add your CERTIFICATE.cert to /usr/local/share/ca-certificates/. After that by adding --cacert CERTIFICATE.cert to your command, curl will automatically use this certificate in that request.

Exp: curl --cacert CERTIFICATE.cert GET "URL".

Obviously, you can edit the request to have your desired request.

Goli
  • 123
  • 8