When using Java, or curl, or other programs to fetch data via SSL, I frequently run into problems with servers that have SSL certificates from a “new” (within the last 10 years) signature authority:
$ curl -v https://api.smugmug.com/ [...] curl: (60) SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed More details here: http://curl.haxx.se/docs/sslcerts.html
In the case of “api.smugmug.com”, we can see the certificate is signed by “The Usertrust Network”:
$ openssl s_client -connect api.smugmug.com:443 < /dev/null | grep issuer depth=1 /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware verify error:num=20:unable to get local issuer certificate
I recently found a great way to fix the problem of missing root certificates. The security team at Mozilla reviews root certificate requests to add to their master root database. The Curl team pulls the most recent database from Mozilla and provides an easily downloadable root certificate store at http://curl.haxx.se/ca/cacert.pem.
Updating your local curl store (usually at /usr/local/share/curl/curl-ca-bundle.crt) is easy:
$ mv /usr/local/share/curl/curl-ca-bundle.crt /usr/local/share/curl/curl-ca-bundle.crt.OLD $ curl http://curl.haxx.se/ca/cacert.pem > /usr/local/share/curl/curl-ca-bundle.crt
If all else fails, you can add the "-k" or "--insecure" flag to curl so it ignores invalid SSL certificates. This abandons the authentication aspect of SSL but preserves the point-to-point encryption. Authentication is half the point of SSL, so it’s worth taking the step above to update your root store.
Tags: certificate · curl · hack · ssl1 Comment
Excellent site, keep up the good work