Curl Cacert



Certificate Authority is the top certificate which is provided by Certification Authority firms. We can provide another certificate authority like our company local certificate authority with the -cacert option. $ curl -cacert mycompany.cert https://www.mycompany.com. Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers. Most of the solutions involved setting the environment variable CURLCABUNDLE to the proper location, or adding cacert=/etc/ssl/certs/ca-certificates.crt to the (newly created).curlrc file in my home directory. I have tried both, and neither completely solve the issue. Curl is finding this location, but it still doesn't work, giving the error. Libcurl performs peer SSL certificate verification by default. This is done by using a CA certificate store that the SSL library can use to make sure the peer's server certificate is valid. Curl is using the system-default CA bundle is stored in /etc/pki/tls/certs/ca-bundle.crt. Before you change it, make a copy of that file so that you can restore the system default if you need to. You can simply append new CA certificates to that file, or you can replace the entire bundle. Are you also wondering where to get the certificates?

  • This message:[ Message body ] [ More options ]
  • Related messages:[ Next message ][ Previous message ][ In reply to ]
From: jayjwa <jayjwa_at_atr2.ath.cx>
Date: Thu, 12 Jul 2007 13:14:47 -0400

On Wed, 11 Jul 2007, Sanford Walke IV wrote:

-> I've got a script that uses curl to send a file to an SSL-enabled website.
-> It's been working for months, until they recently renewed their certificate.

It would help to know the site, but I can still give the commands you can use.

-> Now I get 'error:14090086:SSL
-> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed' when I try
-> to connect.
Cleanapp mac download.

So they updated to a newer cert than you have, correct?

-> I've read through http://curl.netmirror.org/docs/sslcerts.html and
-> http://curl.haxx.se/docs/caextract.html. I'm using the newest cacert.pem
-> from the caextract page. I've inspected their certificate in Firefox, and it's
-> signed by Verisign.

Maybe it's newer than has been distributed? Sometimes, you can ask the server
itself. When I connect to my SSL'ed website, the last certifcate in the chain
is the root CA. Prehaps it's the same with your target site? If so, you can
use Openssl's s_client to get it, then copy paste it, and append it to curl's
collection. The example shows my site, put your target host and its port in
for the -connect option:

OpenSSL> s_client -connect atr2.ath.cx:443 -pause -showcerts -debug
CONNECTED(00000003)
write to 0x80c1768 [0x80c21d8] (124 bytes => 124 (0x7C))
0000 - 80 7a 01 03 01 00 51 00-00 00 20 00 00 39 00 00 .z..Q.. .9.

(snip lots of hex)

read from 0x80c1768 [0x80c7738] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 30 ..0
read from 0x80c1768 [0x80c773d] (48 bytes => 48 (0x30))
0000 - ce 8d d7 34 37 4d ea d6-e2 8a 44 6a 2c 20 5c 4a ..47M..Dj, J
0010 - 90 67 2f de 9f 54 6f f0-45 97 0e 70 af c2 c2 bc .g/.To.E.p..
0020 - 80 22 78 53 e2 c3 42 df-c7 72 4a fa 1c c5 bc de .'xS.B.rJ...
Received on 2007-07-12

  • This message: [ Message body ]
  • Next message: Dhiren Patra: 'Help needed to navigate through a webapplication'
  • Previous message: Dan Fandrich: 'Re: curl and http proxy.'
  • In reply to: Sanford Walke IV: 'SSL certificate verify failed'
Curl cacert jks
  • Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

If you've ever tried connecting to a remove service or server using SSL from your server side cURL or PHP script running on a Windows Server, you may very well have encountered the condition that SSL certificate of the remote server cannot be verified.

Cacert

The problem occurs when you are trying to contact an SSL/TLS secured connection (and have the CURLOPT_SSL_VERIFY_PEER curl option set to true).

Curl Cacert

The error looks like this:

or may simply return error err 10054

Well, the problem has a very simple solution. CURL cannot talk directly to the Windows certificate repository, so you have to give it a file to validate the Trusted Root Certificate Authority against.

The Solution

There are several options for obtaining a CA certificate bundle:

  • Download one (not entirely recommended but this is the easiest option);
  • Export from a trusted provider (e.g. Mozilla);
  • Export from your Windows CA store;

Download From the Net

To simply download the current pem file, go here:
http://curl.haxx.se/docs/caextract.html
and download the cacert.pem file. (http://curl.haxx.se/ca/cacert.pem)
not that you should trust any source on the internet for guaranteeing the validity of these CA bundles or the security of your server, but I've verified (at least once) that this file is indeed the CA certificate list exported from Mozilla as supplied in the Firefox Browser.

However, if you don't want to trust some random website fro the file, you can..

Get the Mozilla list

The conversion script mk-ca-bundle:

The mk-ca-bundle tool converts Mozilla's cert bundle to PEM format, suitable for (lib)curl and others. Writtten by Guenter Knauf.

Convert from your local Firefox installation (linux):

You can also extract the CA certificate list from your local Firefox installation, if you have the certutil tool installed. You just need to run the firefox-db2pem.sh script (yes, this is a BASH script so you need to be Linux to get this to run).

Export from Windows

Follow these steps to export your Trusted Root Certificate Authority CA certs:

  1. From the windows start menu, run the command 'mmc.exe' to launch the Microsoft Management Console;
  2. From the MMC, choose 'File' ? 'Add/Remove Snap-in..' from the main menu;
  3. Add the Certificates snap-in; When asked which certificates you want to manage, select Computer Account and Local computer;
  4. From the console root, navigate to 'Certificates (Local Computer)' > 'Trusted Root Certification Authorities' > 'Certificates';
  5. Select all of the certificates (CTRL+A) and select 'Action' > 'All tasks' > 'Export..' from the MMC main menu;
  6. Follow the wizard to export the certificate(s) to the Cryptographic Message Syntax Standard - PKCS#7 (.pb7 file) to a file called TrustedRootCAs.pb7;
  7. Open a command prompt (cmd.exe) and navigate to the folder containing the PB7 file you just created;
  8. Run openSSL.exe (you may need to add the path to this program to the Windows PATH environment variable) to convert the file to text using the following command:
    c:phpextrasopensslopenssl.exe pkcs7 -inform DER -in TrustedRootCAs.pb7 -print_certs -text > TrustedRootCAs.certs

Then, in your PHP application for example, add the following line BEFORE you call curl_exec():

Curl Cacert Jks

Curl check ssl certificate validity

Curl Cacert Example

If you're using cURL, just rename the file to curl-ca-bundle.crt and pop it into the same folder as your curl.exe and it should detect it automatically.

Curl Cacert.pem

That's about all you should need to get things rolling.

Curl Cacert Environment Variable

Remember, you don't necessarily have to export all of the CA's. In the case of Yubikey, the authentication API server uses a certificate issued by GoDaddy, so you only need export that single on if you prefer not to have to keep this file updated every time ROOT CA certificates are updated by the various providers.