2

I used curl to launch a https request to download the file. I used below command:

curl -v -o Output.pdf https://otherdomain.com/upload/manual-8mm-f35-csii-vdslr-5.pdf

The result I get is:

      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 184.106.55.122...
* TCP_NODELAY set
* Connected to otherdomain.com (184.106.55.122) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Server certificate:
*   subject: CN=www.otherdomain.com
*   start date: Aug 01 00:00:00 2018 GMT
*   expire date: Jul 31 12:00:00 2020 GMT
*   common name: www.otherdomain.com
*   issuer: CN=RapidSSL RSA CA 2018,OU=www.digicert.com,O=DigiCert Inc,C=US
* NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
* Peer's Certificate issuer is not recognized.
* stopped the pause stream!
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Closing connection 0
curl: (60) Peer's Certificate issuer is not recognized.
More details here: https://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

Any idea what the problem is and how I can fix it?

Jitesh T
  • 21
  • 1
  • 4
  • Most probably your ca-bundle is out of date. What distribution are you using? What version? Are updates outstanding? – Gerald Schneider Jan 25 '19 at 11:35
  • Thanks @GeraldSchneider I am not a server guy. How can I check ca-bundle details(version, distribution)? Help me to extract those details. Thanks – Jitesh T Jan 25 '19 at 11:49
  • That depends on the Linux distribution you are using. Google package management – Gerald Schneider Jan 25 '19 at 12:30
  • We are using "Amazon Linux AMI release 2017.09" – Jitesh T Jan 25 '19 at 13:17
  • @GeraldSchneider We are using AWS Linux – Jitesh T Jan 25 '19 at 14:51
  • What is the domain name? – Michael Hampton Jan 25 '19 at 15:04
  • https://clickspecs.com – Jitesh T Jan 28 '19 at 06:53
  • @MichaelHampton clickspecs.com is the domain name – Jitesh T Jan 29 '19 at 10:14
  • That domain has a Let's Encrypt certificate. The detail in your post indicates that you are connecting to something with a "RapidSSL" certificate from DigiCert. Did you change your certificate and forget to tell us? Or is your curl client really connecting to some other domain? – Michael Hampton Jan 29 '19 at 13:45
  • Thanks @MichaelHampton You are right. We have Let's Encrypt certificate. Forget about **otherdomain.com** we mentioned in the post. Actual URL is [https://www.rokinon.com/upload/manual-8mm-f35-csii-vdslr-5.pdf](https://www.rokinon.com/upload/manual-8mm-f35-csii-vdslr-5.pdf) Basically, I want to download PDF from above URL. As far I know **rokinon.com** has "RapidSSL" certificate installed. we ran the following command from our server and it threw an error as mentioned in the post. `curl -v -o Output.pdf https://rokinon.com/upload/manual-8mm-f35-csii-vdslr- 5.pdf` – Jitesh T Jan 30 '19 at 12:50
  • That web server is missing their intermediate certificate. Their admins need to fix the SSL configuration by adding the missing certificate. It's not a problem with your system. Of course you can work around it with `-k` as the message from curl advised you. – Michael Hampton Jan 30 '19 at 12:56
  • How can we add intermediate certifcate?Please guide me if you know. – Jitesh T Jan 30 '19 at 13:00
  • Is www.rokinon.com your site? – Michael Hampton Jan 30 '19 at 13:01
  • clickspecs.com is my site not rokinon.com – Jitesh T Jan 30 '19 at 13:02
  • @MichaelHampton plz help me something on this. – Jitesh T Feb 04 '19 at 07:19
  • Is clickspecs.com domain has issue?if yes, please mention the issue.clickspecs.com is my domain. www.rokinon.com is a external domain from which I tried to download pdf – Jitesh T Feb 04 '19 at 07:22
  • The problem is that the server has a missconfigured TLS... But you can bypass the problem in curl by adding the -k flag.. – Orphans Oct 08 '22 at 13:24

1 Answers1

0

The problem is with the site you are trying to reach. They appear to have misconfigured TLS on their site. In particular, they are not sending an intermediate certificate named "RapidSSL RSA CA 2018" that they should have included in their web server configuration.

The site apparently has many other problems with their TLS setup.

You can't fix their web server because you don't have control over it. But perhaps you can contact someone there to let them know of their problem.

You can tell curl to ignore the certificate problem by using the -k option, but then you cannot be sure you are speaking to the genuine web site.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972