What is the proper way to install CA root certificates so that curl sees them?
Moritz Wilhelmy
moritz at wzff.de
Mon Feb 29 23:08:14 UTC 2016
Hi,
I would like to install CAcert on my system.
I placed the certificate in /etc/ssl/certs, calculated the hash as
follows:
$ openssl x509 -noout -hash -in cacert.pem
99d0fa06
and then created a symlink from /etc/ssl/certs/99d0fa06.0 to cacert.pem.
Now the problem: curl doesn't even look there. It only loks at
/usr/local/share/certs/ca-root-nss.crt, and I even checked with truss,
it does not open(2) any other paths related to openssl.
What's the proper way to install CA root certificates on FreeBSD?
(The improper way being, I assume, to just concatenate the certificate
to /usr/local/share/certs/ca-root-nss.crt)
Best regards,
Moritz
$ curl -vo /dev/null https://cacert.org/
% Total % Received % Xferd Average Speed Time Time Time
% Current
Dload Upload Total Spent Left
Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:--
0* Trying 2001:7b8:3:9c::245...
* Connected to cacert.org (2001:7b8:3:9c::245) port 443 (#0)
* Cipher selection:
* ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /usr/local/share/certs/ca-root-nss.crt
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS alert, Client hello (1):
{ [2 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [98 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [3548 bytes data]
* TLSv1.2 (OUT), TLS alert, Server hello (2):
} [2 bytes data]
* SSL certificate problem: self signed certificate in certificate chain
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:--
0
* Closing connection 0
curl: (60) SSL certificate problem: self signed certificate in
certificate chain
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
More information about the freebsd-questions
mailing list