curl: unable to get local issuer certificate

Hello!

When I try to fetch some urls with cURL I get "unable to get local issuer certificate" errror.
Code:
[alex@develop ~]$ curl -v https://lk.payin-payout.net >/dev/null
* Rebuilt URL to: https://lk.payin-payout.net/
  % Total  % Received % Xferd  Average Speed  Time  Time  Time  Current
  Dload  Upload  Total  Spent  Left  Speed
  0  0  0  0  0  0  0  0 --:--:-- --:--:-- --:--:--  0*  Trying 148.251.3.241...
* Connected to lk.payin-payout.net (148.251.3.241) port 443 (#0)
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:mad:STRENGTH
* successfully set certificate verify locations:
*  CAfile: /usr/local/share/certs/ca-root-nss.crt
  CApath: none
* TLSv1.0 (OUT), TLS handshake, Client hello (1):
} [105 bytes data]
* TLSv1.0 (IN), TLS handshake, Server hello (2):
{ [81 bytes data]
* TLSv1.0 (IN), TLS handshake, Certificate (11):
{ [3509 bytes data]
* TLSv1.0 (OUT), TLS alert, Server hello (2):
} [2 bytes data]
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
cURL was built from ports, ca_root_nss-3.19.1_1 installed.
Mozilla Firefox and other browsers say that certificate is correct.
curl -k helps, but it is not good solution.

cURL https://freebsd.org works OK

cURL in Debian7 works OK:
Code:
alex@db01:~$ curl -v -1 https://lk.payin-payout.net >/dev/null
* About to connect() to lk.payin-payout.net port 443 (#0)
*  Trying 148.251.3.241...
  % Total  % Received % Xferd  Average Speed  Time  Time  Time  Current
  Dload  Upload  Total  Spent  Left  Speed
  0  0  0  0  0  0  0  0 --:--:-- --:--:-- --:--:--  0* connected
* Connected to lk.payin-payout.net (148.251.3.241) port 443 (#0)
* successfully set certificate verify locations:
*  CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
} [data not shown]
* SSLv3, TLS handshake, Server hello (2):
{ [data not shown]
* SSLv3, TLS handshake, CERT (11):
{ [data not shown]
* SSLv3, TLS handshake, Server key exchange (12):
{ [data not shown]
* SSLv3, TLS handshake, Server finished (14):
{ [data not shown]
* SSLv3, TLS handshake, Client key exchange (16):
} [data not shown]
* SSLv3, TLS change cipher, Client hello (1):
} [data not shown]
* SSLv3, TLS handshake, Finished (20):
} [data not shown]
* SSLv3, TLS change cipher, Client hello (1):
{ [data not shown]
* SSLv3, TLS handshake, Finished (20):
{ [data not shown]
* SSL connection using ECDHE-RSA-AES256-SHA
* Server certificate:
*  subject: CN=lk.payin-payout.net
*  start date: 2015-05-08 00:00:00 GMT
*  expire date: 2016-06-06 23:59:59 GMT
*  subjectAltName: lk.payin-payout.net matched
*  issuer: C=US; O=thawte, Inc.; OU=Domain Validated SSL; CN=thawte DV SSL CA - G2
*  SSL certificate verify ok.
> GET / HTTP/1.1
> User-Agent: curl/7.26.0
> Host: lk.payin-payout.net
> Accept: */*
>
* additional stuff not fine transfer.c:1037: 0 0
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 200 OK
< Server: nginx
< Date: Thu, 02 Jul 2015 04:59:59 GMT
< Content-Type: text/html; charset=utf8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Set-Cookie: slim_session=1435814999%7CYToxOntzOjEwOiJzbGltLmZsYXNoIjthOjA6e319%7C4d1002611afd94b4824267d8f89ef41f00523877; path=/; expires=Thu, 02-Jul-2015 05:29:59 UTC
<
{ [data not shown]
100 16964  0 16964  0  0  75527  0 --:--:-- --:--:-- --:--:--  153k
* Connection #0 to host lk.payin-payout.net left intact
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
} [data not shown]
Should I install additional ca certs?
 
Try this: ln -s /usr/local/share/certs/ca-root-nss.crt /etc/ssl/cert.pem
Then see if curl works.
 
Try this: ln -s /usr/local/share/certs/ca-root-nss.crt /etc/ssl/cert.pem
Then see if curl works.

Thanks for your answer!
Unfortunately this does not help.
Code:
[root@develop /home/alex]# ls -l /etc/ssl/cert.pem
lrwxrwxr-x  1 root  wheel  38  3 июл 05:13 /etc/ssl/cert.pem -> /usr/local/share/certs/ca-root-nss.crt
[root@develop /home/alex]# curl -v https://lk.payin-payout.net
* Rebuilt URL to: https://lk.payin-payout.net/
*  Trying 148.251.3.241...
* Connected to lk.payin-payout.net (148.251.3.241) port 443 (#0)
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:mad:STRENGTH
* successfully set certificate verify locations:
*  CAfile: /usr/local/share/certs/ca-root-nss.crt
  CApath: none
* TLSv1.0 (OUT), TLS handshake, Client hello (1):
* TLSv1.0 (IN), TLS handshake, Server hello (2):
* TLSv1.0 (IN), TLS handshake, Certificate (11):
* TLSv1.0 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
 
It's not really a Curl issue. It fails with the same error using OpenSSL commands. If the certificate isn't in security/ca_root_nss then there isn't much you can do about it. It may be the older Debian 7 bundle still includes the certificate while the newer FreeBSD port doesn't.

Fails:
# openssl s_client -connect lk.payin-payout.net:443 -CAfile /usr/local/etc/ssl/cert.pem
Works:
# openssl s_client -connect www.FreeBSD.org:443 -CAfile /usr/local/etc/ssl/cert.pem
 
Try to find out if the certificate ever was in security/ca_root_nss and if it was why it was removed. Removals of certificates are always done for a good reason such as compromise of security of the certificate or its issuer.
 
Back
Top