I copied the PEM file into /usr/local/share/ca-certificates/ and ran update-ca-certificates, and I verified that the resulting certificate is now included in /etc/ssl/certs/ca-certificates.crt which is the file printed by curl-config --ca. I also verified that the certificate printed by openssl s_client -connect example.com:443 was identical to my PEM file. And yet I continue to get the "error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed" message. This happens even if I use curl's --cacert option as described at http://curl.haxx.se/docs/sslcerts.html to tell it what certificate to use.
It works if I disable certificate verification altogether with curl -k, but I don't want to do that because I'm trying to write a test harness that's supposed to test the SSL properly.
It works fine if I access the same URL in lynx, which normally complains if there are any SSL errors. But I can't just use Lynx for this test harness, unless I can find some way of making Tornado's AsyncHTTPClient use Lynx instead of libcurl. And it doesn't seem to make any sense that installing the self-signed certificate satisfies Lynx but not curl.
I'm using Ubuntu 12.04 LTS in a Vagrant-powered VirtualBox; it has curl 7.22.0. The SSL terminating proxy is nginx/1.3.13 running on the same machine, and the domain name is pointed to 127.0.0.1 by an entry in /etc/hosts.
Any clues on what might be the problem? Thanks.
If we use cURL
to retrieve a HTTPS
site that is not using a CA-signed certificate, the following problem occurs:
curl https://example.selfip.com
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html
While we can simply overcome this using the -k
option, there's a safer and lasting solution, i.e.:
Step 1
Identify which directory your OpenSSL
installation uses.
openssl version -d
OPENSSLDIR: "/usr/lib/ssl"
Step 2
Change to that directory and list the directory contents. You should see a directory called certs
.
cd /usr/lib/ssl && ls -al
Step 3
Change to that directory.
cd certs
List the directory contents. You should see from the symlinks that the certificates are actually stored in /usr/share/ca-certificates
.
Step 4
Change to /usr/share/ca-certificates
directory and add you self-signed certificate there, (ex: your.cert.name.crt)
Step 5
Change to /etc
directory and edit the file ca-certificates.conf
.
root@ubuntu:# cd /etc
root@ubuntu:# nano ca-certificates.conf
Add your.cert.name.crt
to the file (ca-certificates.conf
) and save it.
Last Step:
Execute the program update-ca-certificates –fresh
.
Note: You might like to backup /etc/ssl/certs
before executing the command.
root@ubuntu:# update-ca-certificates --fresh
Clearing symlinks in /etc/ssl/certs...done.
Updating certificates in /etc/ssl/certs....done.
Running hooks in /etc/ca-certificates/update.d....done.
Test with curl on your target HTTPS site and it should work now.
Source