Date: Tue, 1 Mar 2016 00:08:09 +0100 From: Moritz Wilhelmy <moritz@wzff.de> To: freebsd-questions@freebsd.org Subject: What is the proper way to install CA root certificates so that curl sees them? Message-ID: <20160229230747.GB26392@barfooze.de>
next in thread | raw e-mail | index | archive | help
Hi, I would like to install CAcert on my system. I placed the certificate in /etc/ssl/certs, calculated the hash as follows: $ openssl x509 -noout -hash -in cacert.pem 99d0fa06 and then created a symlink from /etc/ssl/certs/99d0fa06.0 to cacert.pem. Now the problem: curl doesn't even look there. It only loks at /usr/local/share/certs/ca-root-nss.crt, and I even checked with truss, it does not open(2) any other paths related to openssl. What's the proper way to install CA root certificates on FreeBSD? (The improper way being, I assume, to just concatenate the certificate to /usr/local/share/certs/ca-root-nss.crt) Best regards, Moritz $ curl -vo /dev/null https://cacert.org/ % Total % Received % Xferd Average Speed Time Time Time % Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 2001:7b8:3:9c::245... * Connected to cacert.org (2001:7b8:3:9c::245) port 443 (#0) * Cipher selection: * ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: /usr/local/share/certs/ca-root-nss.crt CApath: none * TLSv1.2 (OUT), TLS handshake, Client hello (1): } [512 bytes data] * TLSv1.2 (IN), TLS alert, Client hello (1): { [2 bytes data] * TLSv1.2 (IN), TLS handshake, Server hello (2): { [98 bytes data] * TLSv1.2 (IN), TLS handshake, Certificate (11): { [3548 bytes data] * TLSv1.2 (OUT), TLS alert, Server hello (2): } [2 bytes data] * SSL certificate problem: self signed certificate in certificate chain 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 * Closing connection 0 curl: (60) SSL certificate problem: self signed certificate in certificate chain More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160229230747.GB26392>