When using curl, you may receive the following error message if you are missing the CA certificate in the directory tree /usr/local/share/ca-certificates/ for the site you are trying to connect to:
user@hardy:/tmp$ curl https://example.com curl: (60) SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). The default bundle is named curl-ca-bundle.crt; you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). |
The easiest way around this is to turn off curl’s verification of the certificate, using the -k (or –insecure) option. However, the best way is to add the associated CA certificate to your system by following these directions: Adding Additional SSL CA certificates.
On Ubuntu Hardy, curl is compiled to use the file /etc/ssl/certs/ca-certificates.crt. You will see the following when executing curl against a site using HTTPS:
* successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: none |
On Ubuntu Lucid, curl is compiled to use the CA certificate directory /etc/ssl/certs/. You will see the following when executing curl against a site using HTTPS:
* successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs |
You can override this with the –ca-cert or –capath options.