From owner-freebsd-questions@freebsd.org Mon Feb 29 23:08:14 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AAD8AAB8747 for ; Mon, 29 Feb 2016 23:08:14 +0000 (UTC) (envelope-from moritz@wzff.de) Received: from hindenburg.barfooze.de (smtp6.barfooze.de [IPv6:2001:bc8:397c:500::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "", Issuer "" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 3F5F4E4B for ; Mon, 29 Feb 2016 23:08:13 +0000 (UTC) (envelope-from moritz@wzff.de) Received: from barfooze.de (localhost [IPv6:::1]) by hindenburg.barfooze.de (8.14.9/8.14.9) with SMTP id u1TN8Ai7051248 for ; Tue, 1 Mar 2016 00:08:10 +0100 (CET) (envelope-from moritz@wzff.de) Date: Tue, 1 Mar 2016 00:08:09 +0100 From: Moritz Wilhelmy To: freebsd-questions@freebsd.org Subject: What is the proper way to install CA root certificates so that curl sees them? Message-ID: <20160229230747.GB26392@barfooze.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Feb 2016 23:08:14 -0000 Hi, I would like to install CAcert on my system. I placed the certificate in /etc/ssl/certs, calculated the hash as follows: $ openssl x509 -noout -hash -in cacert.pem 99d0fa06 and then created a symlink from /etc/ssl/certs/99d0fa06.0 to cacert.pem. Now the problem: curl doesn't even look there. It only loks at /usr/local/share/certs/ca-root-nss.crt, and I even checked with truss, it does not open(2) any other paths related to openssl. What's the proper way to install CA root certificates on FreeBSD? (The improper way being, I assume, to just concatenate the certificate to /usr/local/share/certs/ca-root-nss.crt) Best regards, Moritz $ curl -vo /dev/null https://cacert.org/ % Total % Received % Xferd Average Speed Time Time Time % Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 2001:7b8:3:9c::245... * Connected to cacert.org (2001:7b8:3:9c::245) port 443 (#0) * Cipher selection: * ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: /usr/local/share/certs/ca-root-nss.crt CApath: none * TLSv1.2 (OUT), TLS handshake, Client hello (1): } [512 bytes data] * TLSv1.2 (IN), TLS alert, Client hello (1): { [2 bytes data] * TLSv1.2 (IN), TLS handshake, Server hello (2): { [98 bytes data] * TLSv1.2 (IN), TLS handshake, Certificate (11): { [3548 bytes data] * TLSv1.2 (OUT), TLS alert, Server hello (2): } [2 bytes data] * SSL certificate problem: self signed certificate in certificate chain 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 * Closing connection 0 curl: (60) SSL certificate problem: self signed certificate in certificate chain More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.