Hello!
When I try to fetch some urls with cURL I get "unable to get local issuer certificate" errror.
cURL was built from ports, ca_root_nss-3.19.1_1 installed.
Mozilla Firefox and other browsers say that certificate is correct.
curl -k helps, but it is not good solution.
cURL https://freebsd.org works OK
cURL in Debian7 works OK:
Should I install additional ca certs?
When I try to fetch some urls with cURL I get "unable to get local issuer certificate" errror.
Code:
[alex@develop ~]$ curl -v https://lk.payin-payout.net >/dev/null
* Rebuilt URL to: https://lk.payin-payout.net/
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 148.251.3.241...
* Connected to lk.payin-payout.net (148.251.3.241) port 443 (#0)
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:mad:STRENGTH
* successfully set certificate verify locations:
* CAfile: /usr/local/share/certs/ca-root-nss.crt
CApath: none
* TLSv1.0 (OUT), TLS handshake, Client hello (1):
} [105 bytes data]
* TLSv1.0 (IN), TLS handshake, Server hello (2):
{ [81 bytes data]
* TLSv1.0 (IN), TLS handshake, Certificate (11):
{ [3509 bytes data]
* TLSv1.0 (OUT), TLS alert, Server hello (2):
} [2 bytes data]
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
Mozilla Firefox and other browsers say that certificate is correct.
curl -k helps, but it is not good solution.
cURL https://freebsd.org works OK
cURL in Debian7 works OK:
Code:
alex@db01:~$ curl -v -1 https://lk.payin-payout.net >/dev/null
* About to connect() to lk.payin-payout.net port 443 (#0)
* Trying 148.251.3.241...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* connected
* Connected to lk.payin-payout.net (148.251.3.241) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
} [data not shown]
* SSLv3, TLS handshake, Server hello (2):
{ [data not shown]
* SSLv3, TLS handshake, CERT (11):
{ [data not shown]
* SSLv3, TLS handshake, Server key exchange (12):
{ [data not shown]
* SSLv3, TLS handshake, Server finished (14):
{ [data not shown]
* SSLv3, TLS handshake, Client key exchange (16):
} [data not shown]
* SSLv3, TLS change cipher, Client hello (1):
} [data not shown]
* SSLv3, TLS handshake, Finished (20):
} [data not shown]
* SSLv3, TLS change cipher, Client hello (1):
{ [data not shown]
* SSLv3, TLS handshake, Finished (20):
{ [data not shown]
* SSL connection using ECDHE-RSA-AES256-SHA
* Server certificate:
* subject: CN=lk.payin-payout.net
* start date: 2015-05-08 00:00:00 GMT
* expire date: 2016-06-06 23:59:59 GMT
* subjectAltName: lk.payin-payout.net matched
* issuer: C=US; O=thawte, Inc.; OU=Domain Validated SSL; CN=thawte DV SSL CA - G2
* SSL certificate verify ok.
> GET / HTTP/1.1
> User-Agent: curl/7.26.0
> Host: lk.payin-payout.net
> Accept: */*
>
* additional stuff not fine transfer.c:1037: 0 0
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 200 OK
< Server: nginx
< Date: Thu, 02 Jul 2015 04:59:59 GMT
< Content-Type: text/html; charset=utf8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Set-Cookie: slim_session=1435814999%7CYToxOntzOjEwOiJzbGltLmZsYXNoIjthOjA6e319%7C4d1002611afd94b4824267d8f89ef41f00523877; path=/; expires=Thu, 02-Jul-2015 05:29:59 UTC
<
{ [data not shown]
100 16964 0 16964 0 0 75527 0 --:--:-- --:--:-- --:--:-- 153k
* Connection #0 to host lk.payin-payout.net left intact
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
} [data not shown]