Ubuntu 10.04.4 LTS – cURL SSL certificate permission denied

curlopensslUbuntu

After extensive searching I haven't found documentation of this problem yet.
Suddenly, possibly following a software update(?), cURL fails to establish SSL connections with this error:

curl: (35) error:0200100D:system library:fopen:Permission denied

With strace, I found out that it's trying to open an SSL certificate which is denied:

open("/etc/ssl/certs/3c58f906.0", O_RDONLY|O_LARGEFILE) = -1 EACCES (Permission denied)

This certificate is a symlink which points to AddTrust_External_Root.pem which in turn is a symlink to /usr/share/ca-certificates/mozilla/AddTrust_External_Root.crt. The permissions are such that indeed my user isn't allowed to access it:

ls -l /usr/share/ca-certificates/mozilla/AddTrust_External_Root.crt 
-rw-r----- 1 root ssl-cert 1521 2011-09-01 18:48 /usr/share/ca-certificates/mozilla/AddTrust_External_Root.crt

There's probably a reason why this file isn't world-readable, but it's stopping cURL from functioning. Does anybody know the reason, and, more importantly, a safe and secure solution?

Best Answer

There is no reason for this file not to be world readable. It's not anything unique to your system and is included in the default install: http://packages.ubuntu.com/lucid/all/ca-certificates/filelist

Generally I think anything under /usr/share/ may be world readable (since its under "share").

Now why this file is not world readable on your system is the real question. A bug probably.

Related Solutions

SSL Certificate – How to Download SSL Certificate from a Website

In order to download the certificate, you need to use the client built into openssl like so:

echo -n | openssl s_client -connect $HOST:$PORTNUMBER -servername $SERVERNAME \
    | openssl x509 > /tmp/$SERVERNAME.cert

That will save the certificate to /tmp/$SERVERNAME.cert.

The -servername is used to select the correct certificate when multiple are presented, in the case of SNI.

You can use -showcerts if you want to download all the certificates in the chain. But if you just want to download the server certificate, there is no need to specify -showcerts. The x509 at the end will strip out the intermediate certs, you will need to use sed -n '/-----BEGIN/,/-----END/p' instead of the x509 at the end.

echo -n gives a response to the server, so that the connection is released

openssl x509 removes information about the certificate chain and connection details. This is the preferred format to import the certificate into other keystores.

Ssl – Curl with SSL not working on ubuntu server

You seem to have a typo.

$ openssl s_client -connect evernote.com:433

Port 433 is not open on the remote host, which is why you got error 110 (Connection refused).

Try using port 443 (the standard HTTPS port) instead.

As for curl, I can replicate the problem when using evernote.com, but www.evernote.com works properly (though it sends a 302 redirect to https://evernote.com/.

$ curl https://evernote.com/ -vv
* About to connect() to evernote.com port 443 (#0)
*   Trying 204.154.94.73...
* connected
* Connected to evernote.com (204.154.94.73) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS error -5938 (PR_END_OF_FILE_ERROR)
* Encountered end of file
* Closing connection #0
curl: (35) Encountered end of file

This means that the server killed the connection. For whatever reason it really doesn't want to talk to us.

This is probably not something that you can fix.

Best Answer

Related Solutions

SSL Certificate – How to Download SSL Certificate from a Website

Ssl – Curl with SSL not working on ubuntu server

Related Topic