Ssl – curl SSL issue with RapidSSL certificates

curlssl

I'm getting the famous "SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed" problem when attempting to curl a domain that has a rapidssl certificate installed.

I'm running Ubuntu 10.10 and I have openssl installed with a huge /etc/ssl/certs directory. I've tried using the –cacert and –capath arguments.

Nothing seems to work with this specific domain, even though when I visit the site with my web browser it authenticates the certificate.

However, when I curl https://google.com, it has no problem.

What am I doing wrong?

Best Answer

Make sure that you specify www.phaxio.com, and not just phaxio.com. The latter does not provide with a valid certificate, and could be your problem.

https://www.phaxio.com is using a wildcard-certificate. This should validate as long as you specify a prefix to .phaxio.com. This means that phaxio.com is invalid, but www.phaxio.com is valid.

However, phaxio.com actually presents itself with a certificate for an entirely different domain.

The date on the computer you're running curl on could be set to a time outside the certificates validity period. It's valid from 18th September 2011.

The root-certificate list could be too old - the CA-certificate is dated 19th February 2010. (This is probably not the case in Ubuntu 10.10, though).

Related Solutions

Ubuntu 10.04/CURL: How to fix/update the CA Bundle

I've been having the same trouble and after poking around a bit found that you can download a package of CA-certs ready for curl on ubuntu directly from the curl dev site.

cd /etc/ssl/certs
sudo wget http://curl.haxx.se/ca/cacert.pem

Now curl uses the most up-to-date bundle and you're good to go.

SSL Error – Unable to Read Server Certificate from File

Is it possible that the lines are ^M-terminated? This is a potential issue when moving files from Windows to UNIX systems. One easy way to check is to use vi in "show me the binary" mode, with vi -b /etc/apache2/domain.ssl/domain.ssl.crt/domain.com.crt.

If each line ends with a control-M, like this

you've got a file in Windows line-terminated format, and apache doesn't love those.

Your options include moving the file over again, taking more care; or using the dos2unix command to strip those out; you can also remove them inside vi, if you're careful.

Edit: thanks to @dave_thompson_085, who points out that this answer no longer applies in 2019. That is, Apache/OpenSSL are now tolerant of ^M-terminated lines, so they don't cause problems. That said, other formatting errors, several different examples of which appear in the comments, can still cause problems; check carefully for these if the certificate has been moved across systems.

Best Answer

Related Solutions

Ubuntu 10.04/CURL: How to fix/update the CA Bundle

SSL Error – Unable to Read Server Certificate from File

Related Topic