5

I 'd like curl to work with sites signed by goDaddy: If I call 

curl mypage.com/bla

I am getting a certificate verification error. I tried getting the ca certificate with this snippet:

echo | openssl s_client -connect mysite.com:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cert.pem

and afterwards calling

curl mypage.com/bla --cacert cert.pem

which also caused a verification error. I checked the certificate date and subject and everything seems fine?

What am I missing? Do I maybe need the whole chain? If yes, is there a command to get it all?

ProfHase85
  • 501
  • 3
  • 6
  • 15

2 Answers2

8

According documentation:

curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option.

If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.

For goDaddy you must use SSL Certificate and CA Bundle (gd_bundle.crt). You can download from https://certs.godaddy.com/repository/gd_bundle.crt

Eg.

curl https://mysite.com --cacert gd_bundle.crt
Federico Sierra
  • 3,589
  • 1
  • 20
  • 26
4

CA in cacert means certification authority. You should specify the cert or cert path of the authority that signed your certificate, not your certificate itself

the command

openssl x509 -in YourSitePemCert -text

should list an issuer line. you should get the issuer certificate and include it the cacert pem file

( in your case searching godaddy cert chain lead to https://certs.godaddy.com/repository )

gnafou
  • 151
  • 3