Daniel Stenberg Cody Pritchard Cody Pritchard 1 1 gold badge 7 7 silver badges 23 23 bronze badges. Add a comment. Active Oldest Votes. Update Starting with libcurl 7. Improve this answer.
Daniel Stenberg Daniel Stenberg Yes, thank you for the help. After reading through the schannel. Is this still the same in ? OpenSSL can't access the windows Certificate store? That sounds ridiculous — user I believe it is still true, yes. However, I don't know how and if you can configure the ssl backend on the commandline executable.
Seems to be included in Windows 10 since April Show 1 more comment. Sign up or log in Sign up using Google. Active 3 days ago. Viewed k times. Then we follow this thread - curl: 60 SSL certificate problem: unable to get local issuer certificate Dahomz answer After that, when we curl abc. Improve this question. Karl 5, 13 13 gold badges 69 69 silver badges bronze badges. Check the whole chain not just the leaf. Sectigo-was-Comodo, before getting the USERTrust root accepted in root stores, also chained from AddTrust, and if your curl on 'backend' is still using the chain to AddTrust that has expired.
See support. Can you give us any hints how to solve this issue. Add a comment. Active Oldest Votes. To fix the problem, remove the expired root certificate from your domain certificate. Improve this answer. Manu Manu 3 3 silver badges 5 5 bronze badges. Thanks for this. I would recommend editing your answer to put the full fix first, because really setting the curl options is not a fix as the issue will still exist for other old clients accessing the same cert.
The site whatsmychaincert. I agree with BlueC: the certificate fix should be highlighted first, and then add the temporary curl fix for OP — alleen1. These steps fix the issue on the server side. Just as a quick note, the cert you will download at step 3 will be used in place of the old CA certificate.
Where shoild I enter those command? It's not working. When we hit from frontend. HasanHafizPasha Do you have the issue with curl like mentioned in my post?
Yes mrmuggles, curl call from by front-end application — Hasan Hafiz Pasha. Well, it should work if you're on Ubuntu Did you get any error messages running the above? Also, if you have access to the backend, the answer from Manu is better since you will 'fix' the source. Show 1 more comment. For ubuntu If you use the 'openssl' tool, this is one way to get extract the CA cert for a particular server:. If you are using the curl command line tool on Windows, curl will search for a CA cert file named "curl-ca-bundle.
One option is to extract the one a recent Firefox browser uses by running 'make ca-bundle' in the curl build tree root, or possibly download a version that was generated this way for you: CA Extract. Neglecting to use one of the above methods when dealing with a server using a certificate that is not signed by one of the certificates in the installed CA certificate store, will cause SSL to report an error "certificate verify failed" during the handshake and SSL will then refuse further communication with that server.
If libcurl was built with NSS support, then depending on the OS distribution, it is probably required to take some additional steps to use the system-wide CA cert db. RedHat ships with an additional module, libnsspem.
NSS also has a new database format. Starting with version 7. If libcurl was built with Schannel Microsoft's native TLS engine or Secure Transport Apple's native TLS engine support, then libcurl will still perform peer certificate verification, but instead of using a CA cert bundle, it will use the certificates that are built into the OS.
Any custom security rules for certificates will be honored. Schannel will run CRL checks on certificates unless peer verification is disabled.
0コメント