I recently upgraded our server from 8.04 to 10.04, and all the software along with it.
From what I've found online, it seems that the new version of CURL doesn't include a CA bundle, and, as a result, fails to verify that the certificate of the server you're connecting to is signed by a valid authority.
The actual error is:
CURL error: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE: certificate verify failed
Some palces I've found suggest manually specifying a CA file or disabling the check altogether by setting an option when you call CURL, but I'd much rather fix the issue globally, rather than having to modify each application's CURL calls.
Is there a way to fix CURL's CA problem server-wide so that all of the existing application code works as is without needing to be modified?
I've been having the same trouble and after poking around a bit found that you can download a package of CA-certs ready for curl on ubuntu directly from the curl dev site.
Now curl uses the most up-to-date bundle and you're good to go.
Had a similar problem with Ubuntu 12.04 running curl from the command line to get aws command-line tools which were in github. I found if I ran the command-line as such:
it would work. But trying to set the CURL_CA_BUNDLE environment variable so I could avoid the "cacert" argument would not work. Ultimately updating the ca-certificates seemed to resolve the problem:
As a side note, at one point I updated ca-certs from curl.haxx.se which did not resolve the problem but may have been related. (
sudo wget http://curl.haxx.se/ca/cacert.pem
run from/etc/ssl/certs
).Typically, software that does not have a unique implementation and is compiled against OpenSSL will reference the system-wide ca-bundle.crt often located in
/usr/share/ssl/certs
.The location may be different in Ubuntu but the OpenSSL package should include the ca-bundle file.
CURL has a variety of options to specify how it verifies certificates..
CURL_CA_BUNDLE
environment variable for the location of the ca-bundle file.--capath
allows you to specify the directory where CA certificates are located. (OverridesCURL_CA_BUNDLE
)--cacert
allows you to specify the CA certificate file.On my CentOS server, I can run the following to identify the ca-bundle path that CURL uses:
For ubuntu 10.04 lucid
put http://curl.haxx.se/ca/cacert.pem into /usr/share/ca-certificates/ add a line
cacert.pem
into /etc/ca-certificates.conf
sudo update-ca-certificates
download the latest openssl and curl (configure with --with-openssl) make and install
it fixed my problem