Wednesday, July 9, 2014

Curl error with Self Signed certificate - curl: (60) SSL certificate problem - SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

If you have decided to use self sign certificate with your internal only web server to save few hundred dollars bill per year of public certificate cost ( Thawte, Verisign, Go Daddy etc. )  and did not address CA Root certificate issue on client side, we will end up with following message.

$ curl https://YourWebServer.company.com/
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). The default
 bundle is named curl-ca-bundle.crt; you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

What does this message say?

Client has  requested for secure connection to web server. Web server send his public certificate. Client is not able to check integrity of web certificate against public certificate of Certificate Authority ( Root certificate or PKIRootCA.crt) used to sign Web Server certificate.

What you need to do?

curl use opensll ca-bundle to verify. Other client (say java, IE, Firefox etc. ) have different location for ca-bundle. On client, you need to append PKIRootCA.crt in ca-bunldle. ca-bundle location is defined against certs variable in openssl config file /etc/pki/tls/openssl.cnf

$ grep certs /etc/pki/tls/openssl.cnf
certs           = $dir/certs    # Where the issued certs are kept

Take backup, append CA Root Certificate and test.

#cp -a /etc/pki/tls/certs/ca-bundle.crt /etc/pki/tls/certs/ca-bundle.crt.org
$ curl https://YourWebServer.company.com/  << will fail on client
# cat companyPKIRootCA.crt >> /etc/pki/tls/certs/ca-bundle.crt
$ curl https://YourWebServer.company.com/  << should work fine on client

Additional Notes

- Upgrading/downgrading of openssl or ca-certificates  rpms does not overwrite ca-bundle.crt
- you need to appen Root Certificate on all clinets

Reference
Article  -How do I configure a CA and sign certificates using OpenSSL in Red Hat Enterprise Linux?

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)