I copied the PEM file into /usr/local/share/ca-certificates/ and ran update-ca-certificates, and I verified that the resulting certificate is now included in /etc/ssl/certs/ca-certificates.crt which is the file printed by curl-config –ca. I also verified that the certificate printed by openssl s_client -connect example.com:443 was identical to my PEM file. And yet I continue to get the “error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed” message. This happens even if I use curl’s –cacert option as described at http://curl.haxx.se/docs/sslcerts.html to tell it what certificate to use.
It works if I disable certificate verification altogether with curl -k, but I don’t want to do that because I’m trying to write a test harness that’s supposed to test the SSL properly.
It works fine if I access the same URL in lynx, which normally complains if there are any SSL errors. But I can’t just use Lynx for this test harness, unless I can find some way of making Tornado’s AsyncHTTPClient use Lynx instead of libcurl. And it doesn’t seem to make any sense that installing the self-signed certificate satisfies Lynx but not curl.
I’m using Ubuntu 12.04 LTS in a Vagrant-powered VirtualBox; it has curl 7.22.0. The SSL terminating proxy is nginx/1.3.13 running on the same machine, and the domain name is pointed to 127.0.0.1 by an entry in /etc/hosts.
Any clues on what might be the problem? Thanks.
When we are using cURL to retrieve a HTTPS site that is not using a CA-signed certificate, the following problem occurs.
curl https://example.selfip.com curl: (60) SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed More details here: http://curl.haxx.se/docs/sslcerts.html
Of course, this can simply be overcome by using the -k option.
Identify which directory your OpenSSL installation uses.
root@ubuntu:~# openssl version -d OPENSSLDIR: "/usr/lib/ssl"
Change to that directory and list the directory contents. You should see a directory called “certs”.
root@ubuntu:~# cd /usr/lib/ssl && ls -al
Change to that directory.
root@ubuntu:/usr/lib/ssl# cd certs
List the directory contents. You should see from the symlinks that the certificates are actually stored in
/usr/share/ca-certificates directory and add you self-signed certificate there, (ex: your.cert.name.crt)
/etc directory and edit the file
root@ubuntu:# cd /etc root@ubuntu:# nano ca-certificates.conf
your.cert.name.crt to the file (
ca-certificates.conf) and save it.
Execute the program
Note: You might like to backup
/etc/ssl/certs before executing the command.
root@ubuntu:# update-ca-certificates --fresh Clearing symlinks in /etc/ssl/certs...done. Updating certificates in /etc/ssl/certs....done. Running hooks in /etc/ca-certificates/update.d....done.
Test with curl on your target HTTPS site and it should work now.