When using curl, you may receive the following error message if you are missing the CA certificate in the directory tree /usr/local/share/ca-certificates/ for the site you are trying to connect to:
user@hardy:/tmp$ curl https://example.com
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). The default
bundle is named curl-ca-bundle.crt; you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL). |
user@hardy:/tmp$ curl https://example.com
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). The default
bundle is named curl-ca-bundle.crt; you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
The easiest way around this is to turn off curl’s verification of the certificate, using the -k (or –insecure) option. However, the best way is to add the associated CA certificate to your system by following these directions: Adding Additional SSL CA certificates.
On Ubuntu Hardy, curl is compiled to use the file /etc/ssl/certs/ca-certificates.crt. You will see the following when executing curl against a site using HTTPS:
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none |
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
On Ubuntu Lucid, curl is compiled to use the CA certificate directory /etc/ssl/certs/. You will see the following when executing curl against a site using HTTPS:
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs |
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
You can override this with the –ca-cert or –capath options.