What is the proper way to install CA root certificates so that curl sees them?

Moritz Wilhelmy moritz at wzff.de
Mon Feb 29 23:08:14 UTC 2016 

Hi,

I would like to install CAcert on my system.

I placed the certificate in /etc/ssl/certs, calculated the hash as
follows:
	$ openssl x509 -noout -hash -in cacert.pem 
	99d0fa06

and then created a symlink from /etc/ssl/certs/99d0fa06.0 to cacert.pem.

Now the problem: curl doesn't even look there. It only loks at
/usr/local/share/certs/ca-root-nss.crt, and I even checked with truss,
it does not open(2) any other paths related to openssl.

What's the proper way to install CA root certificates on FreeBSD?

(The improper way being, I assume, to just concatenate the certificate
to /usr/local/share/certs/ca-root-nss.crt)

Best regards,
Moritz


$ curl -vo /dev/null https://cacert.org/ 
  % Total    % Received % Xferd  Average Speed   Time    Time     Time
  % Current
                                 Dload  Upload   Total   Spent    Left
Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--
0*   Trying 2001:7b8:3:9c::245...
* Connected to cacert.org (2001:7b8:3:9c::245) port 443 (#0)
* Cipher selection:
* ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /usr/local/share/certs/ca-root-nss.crt
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS alert, Client hello (1):
{ [2 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [98 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [3548 bytes data]
* TLSv1.2 (OUT), TLS alert, Server hello (2):
} [2 bytes data]
* SSL certificate problem: self signed certificate in certificate chain
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--
0
* Closing connection 0
curl: (60) SSL certificate problem: self signed certificate in
certificate chain
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

More information about the freebsd-questions mailing list