curl / Mailing Lists / curl-users / Single Mail


Re: Intermediate Certificate

From: Ralph Mitchell <>
Date: Thu, 6 Dec 2018 16:27:49 -0500

On Thu, Dec 6, 2018 at 4:22 PM Marcionelli Michele <> wrote:

> Hej,
> I wrote a kind of link-checker in bash using curl and sometimes the check
> fails - I think - because an incomplete certificate chain. But with a
> browser the certificate looks good.
> For instance this fails on a Fedora 29 (and also on CentOS 6, 7, Fedora 28
> & CentOS 6 with self compiled curl 7.62.0):
> # curl -v
> * Rebuilt URL to:
> * Trying
> * Connected to ( port 443 (#0)
> * ALPN, offering h2
> * ALPN, offering http/1.1
> * successfully set certificate verify locations:
> * CAfile: /etc/pki/tls/certs/ca-bundle.crt
> CApath: none
> * TLSv1.3 (OUT), TLS handshake, Client hello (1):
> * TLSv1.3 (IN), TLS handshake, Server hello (2):
> * TLSv1.2 (IN), TLS handshake, Certificate (11):
> * TLSv1.2 (OUT), TLS alert, unknown CA (560):
> * SSL certificate problem: unable to get local issuer certificate
> * Closing connection 0
> curl: (60) SSL certificate problem: unable to get local issuer certificate
> # curl --version
> curl 7.61.1 (x86_64-redhat-linux-gnu) libcurl/7.61.1 OpenSSL/1.1.1
> zlib/1.2.11 brotli/1.0.5 libidn2/2.0.5 libpsl/0.20.2 (+libidn2/2.0.5)
> libssh/0.8.5/openssl/zlib nghttp2/1.34.0
> Release-Date: 2018-09-05
> Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3
> pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
> Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM
> NTLM_WB SSL libz brotli TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL Metalink
> The same command works on my Mac with OS X 10.13.6:
> # curl -v
> * Rebuilt URL to:
> * Trying
> * Connected to ( port 443 (#0)
> * ALPN, offering h2
> * ALPN, offering http/1.1
> * Cipher selection:
> * successfully set certificate verify locations:
> * CAfile: /etc/ssl/cert.pem
> CApath: none
> * TLSv1.2 (OUT), TLS handshake, Client hello (1):
> * TLSv1.2 (IN), TLS handshake, Server hello (2):
> * TLSv1.2 (IN), TLS handshake, Certificate (11):
> * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
> * TLSv1.2 (IN), TLS handshake, Server finished (14):
> * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
> * TLSv1.2 (OUT), TLS change cipher, Client hello (1):
> * TLSv1.2 (OUT), TLS handshake, Finished (20):
> * TLSv1.2 (IN), TLS change cipher, Client hello (1):
> * TLSv1.2 (IN), TLS handshake, Finished (20):
> * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
> * ALPN, server did not agree to a protocol
> * Server certificate:
> * subject: C=US; postalCode=08540; ST=New Jersey; L=Princeton; street=1
> Einstein Drive; O=Institute for Advanced Study; OU=School of Mathematics;
> CN=*
> * start date: Mar 15 00:00:00 2018 GMT
> * expire date: Mar 15 23:59:59 2019 GMT
> * subjectAltName: host "" matched cert's "*"
> * issuer: C=US; ST=MI; L=Ann Arbor; O=Internet2; OU=InCommon; CN=InCommon
> RSA Server CA
> * SSL certificate verify ok.
> # curl --version
> curl 7.54.0 (x86_64-apple-darwin17.0) libcurl/7.54.0 LibreSSL/2.0.20
> zlib/1.2.11 nghttp2/1.24.0
> Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3
> pop3s rtsp smb smbs smtp smtps telnet tftp
> Features: AsynchDNS IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB
> SSL libz HTTP2 UnixSockets HTTPS-proxy
> Has someone any Idea why in the first case it fails?
> Why in the second case it works?
> And most important for me what can I do the run a successfully check on
> CentOS/Fedora?
> Bests,
> Michele
> PS: I also copied my Mac /etc/ssl/cert.pem to Linux, without positive
> effect...

In Fedora 29, you're not using the /etc/ssl/cert.pem:

      * successfully set certificate verify locations:
      * CAfile: /etc/pki/tls/certs/ca-bundle.crt

Try it as:

     curl -v --capath /etc/ssl/cert.pem

Ralph Mitchell

Received on 2018-12-06