Curl, lynx etc not accepting certificate locally but OK remotely
Edited (2018-12-20): Security warning: Installing a certificate from an unknown source is a security risk.
I fixed the problem by downloading Symantec_Class_3_EV_SSL_CA_G3.crt and installing it:
wget http://symantec.tbs-certificats.com/Symantec_Class_3_EV_SSL_CA_G3.crt
cp Symantec_Class_3_EV_SSL_CA_G3.crt /etc/pki/ca-trust/source/anchors
update-ca-trust
The problem then just went away :) Not sure why this isn't included by default in the root CA bundle.
Related videos on Youtube
John Hunt
Updated on September 18, 2022Comments
-
John Hunt over 1 year
When I connect to my web server to view a site over HTTPS, I get the nice green EV thing in the address bar. When I use curl locally to connect, it complains about the certificate and dies.
I'm aware I can just skip the certificate checking but I'd like to fix the problem as there are other times that these certs will be checked locally.
My hosts file (on the server) maps www.domain.com to 192.168.100.62. which Apache is listening on (confirmed by doing a cURL to the same address via http):
root@web3:~# curl -v https://www.domain.com * About to connect() to www.domain.com port 443 (#0) * Trying 192.168.100.62... connected * Connected to www.domain.com (192.168.100.62) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * Peer's certificate issuer is not recognized: 'CN=Symantec Class 3 EV SSL CA - G3,OU=Symantec Trust Network,O=Symantec Corporation,C=US' * NSS error -8179 * Closing connection #0 * Peer certificate cannot be authenticated with known CA certificates curl: (60) Peer certificate cannot be authenticated with known CA certificates More details here: http://curl.haxx.se/docs/sslcerts.html
I've poked around google a bit, but can't seem to find much.. it may be possible my root CA bundle is out-dated, or curl itself is too old to connect but I've not much experience with this.
root@web3:~# curl --version curl 7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.18 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2 Protocols: tftp ftp telnet dict ldap ldaps http file https ftps scp sftp Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz
cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.7 (Santiago)
I have tried adding the verisign root cert by using the
update-ca-trust
tool, but that also has no impact:root@web3:anchors# pwd /etc/pki/ca-trust/source/anchors root@web3:anchors# ls VeriSign-Class-3-Public-Primary-Certification-Authority-G3.crt root@web3:anchors# update-ca-trust root@web3:anchors# curl... <snip> same error.
I'm at a bit of a loss as to what the actual issue is. Are certificates only valid on internet IPs?
-
Jenny D over 8 yearsWhat happens if you run it with
-cacert /etc/pki/ca-trust/source/anchors/VeriSign-Class-3-Public-Primary-Certification-Authority-G3.crt
? -
John Hunt over 8 years* CAfile: /etc/pki/ca-trust/source/anchors/VeriSign-Class-3-Public-Primary-Certification-Authority-G3.pem - it uses it, but I still get the same error. Does this suggest it's curl having the problem rather than a root ca bundle problem?
-
Jenny D over 8 yearsSorry, I was too quick. You need to fetch and use the root CA cert that actually signed your cert - your own output tells you that is Symantec Class 3 EV SSL CA.
-
John Hunt over 8 yearsThanks, I downloaded and installed Symantec_Class_3_EV_SSL_CA_G3.crt which fixed it! :)
-
-
akuzminsky over 8 yearsEssentially you dowloaded a certificate from the untrusted HTTP website and made it a trusted authority. Fake security IMHO.
-
John Hunt over 8 yearsI agree. For all I know I could have installed a root cert that allows anything at all...