When I connect to my web server to view a site over HTTPS, I get the nice green EV thing in the address bar. When I use curl locally to connect, it complains about the certificate and dies.
I'm aware I can just skip the certificate checking but I'd like to fix the problem as there are other times that these certs will be checked locally.
My hosts file (on the server) maps www.domain.com to 192.168.100.62. which Apache is listening on (confirmed by doing a cURL to the same address via http):
root@web3:~# curl -v https://www.domain.com
* About to connect() to www.domain.com port 443 (#0)
* Trying 192.168.100.62... connected
* Connected to www.domain.com (192.168.100.62) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* Peer's certificate issuer is not recognized: 'CN=Symantec Class 3 EV SSL CA - G3,OU=Symantec Trust Network,O=Symantec Corporation,C=US'
* NSS error -8179
* Closing connection #0
* Peer certificate cannot be authenticated with known CA certificates
curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html
I've poked around google a bit, but can't seem to find much.. it may be possible my root CA bundle is out-dated, or curl itself is too old to connect but I've not much experience with this.
root@web3:~# curl --version
curl 7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.18 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Protocols: tftp ftp telnet dict ldap ldaps http file https ftps scp sftp
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz
cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.7 (Santiago)
I have tried adding the verisign root cert by using the update-ca-trust
tool, but that also has no impact:
root@web3:anchors# pwd
/etc/pki/ca-trust/source/anchors
root@web3:anchors# ls
VeriSign-Class-3-Public-Primary-Certification-Authority-G3.crt
root@web3:anchors# update-ca-trust
root@web3:anchors# curl... <snip> same error.
I'm at a bit of a loss as to what the actual issue is. Are certificates only valid on internet IPs?
I fixed the problem by downloading Symantec_Class_3_EV_SSL_CA_G3.crt and installing it:
The problem then just went away :) Not sure why this isn't included by default in the root CA bundle.