Ssl – Add SSL certificate after curl error: “unable to get local issuer certificate”

curlopensslssltls

I'm trying to access a partners SOAP API, for that goal I made a CSR and received a CRT. I've made a PEM file with my key and the CRT:

cat mycert.crt mykey.key > mycertandkey.pem

When I try to hit the service with curl:

curl --verbose --cert mycertandkey.pem https://partner/service?wsdl
* Hostname was NOT found in DNS cache
*   Trying IP.IP.IP.IP...
* Connected to PARTNER (IP.IP.IP.IP) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

Now when I try with the -k option everything works fine, but I'd rather add their current SSL certificate so I can connect without the -k option.

I'd like to try the second option in the following answer but haven't managed so far: https://stackoverflow.com/a/24618403/2730032

I retrieved different certificates from my partners service with openssl like in: https://stackoverflow.com/a/7886248/2730032

Afterwards I tried adding these certificates to my server with https://superuser.com/a/437377

But so far I still cannot get curl to work without the -k flag. Am I wrong in how I retrieve the needed certificate or in how I add it to my system? Or am I mistaken in my general approach?

EDIT 1: This is what happens when I try to get the certificates via SSL

openssl s_client -showcerts -connect PARTNER:443 </dev/null
CONNECTED(00000003)
depth=0 O = PARTNER_INFO, OU = PARTNER_INFO, CN = PARTNER_INFO
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 O = PARTNER_INFO, OU = PARTNER_INFO, CN = PARTNER_INFO
verify error:num=27:certificate not trusted
verify return:1
depth=0 O = PARTNER_INFO, OU = PARTNER_INFO, CN = PARTNER_INFO
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/O=PARTNER_INFO/OU=PARTNER_INFO/CN=PARTNER_INFO
   i:/C=PARTNER_INFO/ST=PARTNER_INFO/L=PARTNER_INFO/O=PARTNER_INFO/OU=PARTNER_INFO/CN=PARTNER_INFO CA/emailAddress=PARTNER_INFO
-----BEGIN CERTIFICATE-----
CERTIFICATE1
-----END CERTIFICATE-----
 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
-----BEGIN CERTIFICATE-----
CERTIFICATE2
-----END CERTIFICATE-----
 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
-----BEGIN CERTIFICATE-----
CERTIFICATE3
-----END CERTIFICATE-----
---
Server certificate
subject=/O=PARTNER_INFO/OU=PARTNER_INFO/CN=PARTNER_INFO
issuer=/C=PARTNER_INFO/ST=PARTNER_INFO/L=PARTNER_INFO/O=PARTNER_INFO/OU=PARTNER_INFO/CN=PARTNER_INFO CA/emailAddress=PARTNER_INFO
---
No client certificate CA names sent
---
SSL handshake has read 3872 bytes and written 503 bytes
---
MORE INFO...

I've also tried openssl s_client -showcerts -key mycertandkey.pem -connect PARTNER:443 </dev/null but it gives me the same results (and certificates).

EDIT 2: As I've commented in the only answer so far: the partner in question added a Gandi CA to their server (at least that's what they tell me) and it now works. So it seems since their certificate is now signed by a CA that is in my default CA bundle I can now get curl to work without the -k flag. However it would be nice to know how I could've corrected the problem on my end.

Best Answer

The --cert option is for specifying your own certificate (client certificate). But it fails to verify the servers certificate. To specify this certificate use either --cacert or --capath, depending on how you have the servers certificate/CA (see documentation of curl). Note that you usually don't have a private key for the servers certificate, so only the certificate w/o the key should be given.

Related Solutions

SSL Error: self signed certificate in certificate chain

You don't need the root certificate in the chain (though I don't believe having it hurts anything).

That error is more of a warning from openssl in this case I think. I believe what it means is just that openssl doesn't know that it should trust the root certificate of that chain. If you pull out just the root certificate from that bundle and point that openssl command at it with the -CAfile argument I expect that "error" should go away.

Inside the sf_bundle.crt file you should see two

-----BEGIN CERTIFICATE-----
....
-----END CERTIFICATE-----

blocks (possibly with plain text above each block showing what certificate the block contains). If you split each of those blocks into its own file so you end up with block1.crt and block2.crt you should be able to run openssl x509 -noout -subject -in <file.crt> on each of them to get their respective certificate subject lines.

Assuming that block2.crt has a subject line of /C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority you should then be able to run openssl s_client -CAfile block2.crt -connect imap.domain.ltd:465 and that should, hopefully, connect without giving you the self-signed certificate error.

Centos – Unable to use builtin CA bundle to verify GoDaddy SHA2 SSL certificate

It appears that the web server at https://facts.dohrn.com/ does not include the intermediate certificate.

This would appear to be a configuration mistake on their part. It is definitely something that can be expected to cause compatibility issues as you are really only supposed to rely on clients having the root certificates in place beforehand.

See the certificate chain, eg from the SSLLabs result: (You'll also note that there are many other issues with their SSL setup.)

1   Sent by server  facts.dohrn.com 
Fingerprint: 823e3a70f194c646498b2591069b3727ad0014d9 
RSA 2048 bits (e 65537) / SHA256withRSA

2   Extra download  Go Daddy Secure Certificate Authority - G2 
Fingerprint: 27ac9369faf25207bb2627cefaccbe4ef9c319b8 
RSA 2048 bits (e 65537) / SHA256withRSA

3   In trust store  Go Daddy Root Certificate Authority - G2   Self-signed  
Fingerprint: 47beabc922eae80e78783462a79f45c254fde68b 
RSA 2048 bits (e 65537) / SHA256withRSA

I would say that your main options are to either try to convince the service provider to fix their service or work around the problem on your end by providing the client with the certificates that their server was expected to provide.

Best Answer

Related Solutions

SSL Error: self signed certificate in certificate chain

Centos – Unable to use builtin CA bundle to verify GoDaddy SHA2 SSL certificate

Related Topic