Curl, lynx etc not accepting certificate locally but OK remotely

centos ssl https curl

5,133

Edited (2018-12-20): Security warning: Installing a certificate from an unknown source is a security risk.

I fixed the problem by downloading Symantec_Class_3_EV_SSL_CA_G3.crt and installing it:

wget http://symantec.tbs-certificats.com/Symantec_Class_3_EV_SSL_CA_G3.crt
cp Symantec_Class_3_EV_SSL_CA_G3.crt /etc/pki/ca-trust/source/anchors
update-ca-trust

The problem then just went away :) Not sure why this isn't included by default in the root CA bundle.

5,133

John Hunt

Updated on September 18, 2022

Comments

John Hunt over 1 year
When I connect to my web server to view a site over HTTPS, I get the nice green EV thing in the address bar. When I use curl locally to connect, it complains about the certificate and dies.

I'm aware I can just skip the certificate checking but I'd like to fix the problem as there are other times that these certs will be checked locally.

My hosts file (on the server) maps www.domain.com to 192.168.100.62. which Apache is listening on (confirmed by doing a cURL to the same address via http):
```
root@web3:~# curl -v https://www.domain.com
* About to connect() to www.domain.com port 443 (#0)
*   Trying 192.168.100.62... connected
* Connected to www.domain.com (192.168.100.62) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Peer's certificate issuer is not recognized: 'CN=Symantec Class 3 EV SSL CA - G3,OU=Symantec Trust Network,O=Symantec Corporation,C=US'
* NSS error -8179
* Closing connection #0
* Peer certificate cannot be authenticated with known CA certificates
curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html
```
I've poked around google a bit, but can't seem to find much.. it may be possible my root CA bundle is out-dated, or curl itself is too old to connect but I've not much experience with this.
```
root@web3:~# curl --version
curl 7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.18 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Protocols: tftp ftp telnet dict ldap ldaps http file https ftps scp sftp
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz
```
cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.7 (Santiago)

I have tried adding the verisign root cert by using the update-ca-trust tool, but that also has no impact:
```
root@web3:anchors# pwd
/etc/pki/ca-trust/source/anchors
root@web3:anchors# ls
VeriSign-Class-3-Public-Primary-Certification-Authority-G3.crt
root@web3:anchors#  update-ca-trust
root@web3:anchors# curl... <snip> same error.
```
I'm at a bit of a loss as to what the actual issue is. Are certificates only valid on internet IPs?
- Jenny D over 8 years
  
  What happens if you run it with -cacert /etc/pki/ca-trust/source/anchors/VeriSign-Class-3-Public-Pri‌mary-Certification-A‌uthority-G3.crt?
- John Hunt over 8 years
  
  * CAfile: /etc/pki/ca-trust/source/anchors/VeriSign-Class-3-Public-Pri‌mary-Certification-A‌uthority-G3.pem - it uses it, but I still get the same error. Does this suggest it's curl having the problem rather than a root ca bundle problem?
- Jenny D over 8 years
  
  Sorry, I was too quick. You need to fetch and use the root CA cert that actually signed your cert - your own output tells you that is Symantec Class 3 EV SSL CA.
- John Hunt over 8 years
  
  Thanks, I downloaded and installed Symantec_Class_3_EV_SSL_CA_G3.crt which fixed it! :)
akuzminsky over 8 years

Essentially you dowloaded a certificate from the untrusted HTTP website and made it a trusted authority. Fake security IMHO.
John Hunt over 8 years

I agree. For all I know I could have installed a root cert that allows anything at all...