Ubuntu 10.04/CURL: How do I fix/update the CA Bundle?

Question

I recently upgraded our server from 8.04 to 10.04, and all the software along with it.

From what I've found online, it seems that the new version of CURL doesn't include a CA bundle, and, as a result, fails to verify that the certificate of the server you're connecting to is signed by a valid authority.

The actual error is:

CURL error: SSL certificate problem, verify that the CA cert is OK.
Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:
certificate verify failed

Some palces I've found suggest manually specifying a CA file or disabling the check altogether by setting an option when you call CURL, but I'd much rather fix the issue globally, rather than having to modify each application's CURL calls.

Is there a way to fix CURL's CA problem server-wide so that all of the existing application code works as is without needing to be modified?

score 19 · Answer 1 · answered Jul 24 '11 at 04:03

19

I've been having the same trouble and after poking around a bit found that you can download a package of CA-certs ready for curl on ubuntu directly from the curl dev site.

cd /etc/ssl/certs
sudo wget http://curl.haxx.se/ca/cacert.pem

Now curl uses the most up-to-date bundle and you're good to go.

answered Jul 24 '11 at 04:03

Paul Alexander

390
3
11

1

after that i had to update with: update-ca-certificates -f – Grain Aug 16 '17 at 15:18

score 9 · Answer 2 · edited Mar 16 '13 at 20:04

9

Had a similar problem with Ubuntu 12.04 running curl from the command line to get aws command-line tools which were in github. I found if I ran the command-line as such:

curl https://raw.github.com/timkay/aws/master/aws -o aws --cacert /etc/ssl/certs/ca-certificates.crt

it would work. But trying to set the CURL_CA_BUNDLE environment variable so I could avoid the "cacert" argument would not work. Ultimately updating the ca-certificates seemed to resolve the problem:

sudo update-ca-certificates

As a side note, at one point I updated ca-certs from curl.haxx.se which did not resolve the problem but may have been related. (sudo wget http://curl.haxx.se/ca/cacert.pem run from /etc/ssl/certs).

edited Mar 16 '13 at 20:04

balexandre

567
2
13
26

answered Jun 28 '12 at 03:36

Bob Morley

91
1
1

Link 404'd for me. This works: http://curl.haxx.se/ca/cacert.pem – dave1010 Feb 21 '13 at 14:14
2

Hmm. Seems dodgy to fetch a file containing certs like that _not_ over HTTPS. – Matthew Schinckel Dec 10 '13 at 09:37

Warner · Answer 3 · 2010-06-14T20:06:19.233

5

Typically, software that does not have a unique implementation and is compiled against OpenSSL will reference the system-wide ca-bundle.crt often located in /usr/share/ssl/certs.

The location may be different in Ubuntu but the OpenSSL package should include the ca-bundle file.

CURL has a variety of options to specify how it verifies certificates..

The CURL_CA_BUNDLE environment variable for the location of the ca-bundle file.
--capath allows you to specify the directory where CA certificates are located. (Overrides CURL_CA_BUNDLE)
--cacert allows you to specify the CA certificate file.

On my CentOS server, I can run the following to identify the ca-bundle path that CURL uses:

$ curl-config --ca
/usr/share/ssl/certs/ca-bundle.crt

edited Jun 14 '10 at 20:06

answered Jun 14 '10 at 18:50

Warner

23,756
2
59
69

1

Open SSL is installed. I have a "ca-certificates.crt" file in /etc/ssl/certs/ that looks like a bunch of certificates concatenated together, but I guess CURL isn't seeing it? Does CURL have a configuration setting for the CA-Bundle? – Nick Jun 14 '10 at 19:49
Are you sure it is not the type of certificate that it is attempting to verify? Newer certificate technologies such as Extended Verification certs often require ca-bundle updates, as the root certs are relatively new. Check out my upcoming edit too. – Warner Jun 14 '10 at 20:00
curl-config doesn't seem to be a valid command on Ubuntu. How do I set CURL_CA_BUNDLE? – Nick Jun 15 '10 at 02:07
Looks like it's part of the `libcurl3-openssl-dev` package based on a quick Internet search. `CURL_CA_BUNDLE` is just an environment variable. In bash, `CURL_CA_BUNDLE=/path/to/file`. – Warner Jun 15 '10 at 02:58
Alright, package is installed, but "curl-config --ca" produces an empty line. I tried setting the variable using 'CURL_CA_BUNDLE="/etc/ssl/certs/ca-certificates.crt"'. But "curl-config --ca" still produces a blank line afterwards. – Nick Jun 15 '10 at 03:05

score 0 · Answer 4 · answered Oct 17 '21 at 22:34

For ubuntu 10.04 lucid

put http://curl.haxx.se/ca/cacert.pem into /usr/share/ca-certificates/ add a line

cacert.pem

into /etc/ca-certificates.conf

sudo update-ca-certificates

download the latest openssl and curl (configure with --with-openssl) make and install

it fixed my problem

Ubuntu 10.04/CURL: How do I fix/update the CA Bundle?

4 Answers4