cURL / Mailing Lists / curl-users / Single Mail


Re: Verify incomplete chain

From: Dan Fandrich <>
Date: Wed, 13 Apr 2016 15:31:09 +0200

On Wed, Apr 13, 2016 at 03:01:15PM +0200, Jan Prachar wrote:
> I can't figure out the following problem. Maybe some of you could help me to
> understand it.
> if I compile curl with OpenSSL
> ./configure --with-ca-path=/etc/ssl/certs --with-ca-bundle=/etc/ssl/certs/
> ca-certificates.crt --with-ssl
> and then run
> curl -v
> I get error that certificate verification failed (unable to get local issuer
> certificate) as expected.
> But I compile curl with gnutls
> ./configure --with-ca-path=/etc/ssl/certs --with-ca-bundle=/etc/ssl/certs/
> ca-certificates.crt --without-ssl --with-gnutls
> And then try the same URL, the server certificate is verified. How it is
> possible? I checked that the missing CA certificate isn't downloaded according
> to AIA extension. Could be there a bug in gnutls library? (I have version
> 3.4.10).

What version of curl are you using? It works as expected for me with git HEAD
and gnutls 3.2.21:

curl -v
* STATE: INIT => CONNECT handle 0x8a0f7f4; line 1402 (connection #-5000)
* Rebuilt URL to:
* Added connection 0. The cache now contains 1 members
* Trying
* STATE: CONNECT => WAITCONNECT handle 0x8a0f7f4; line 1455 (connection #0)
* Connected to ( port 443 (#0)
* STATE: WAITCONNECT => SENDPROTOCONNECT handle 0x8a0f7f4; line 1554 (connection #0)
* Marked for [keep alive]: HTTP default
* found 192 certificates in /etc/pki/tls/certs/ca-bundle.crt
* ALPN, offering http/1.1
* STATE: SENDPROTOCONNECT => PROTOCONNECT handle 0x8a0f7f4; line 1568 (connection #0)
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* server certificate verification failed. CAfile: /etc/pki/tls/certs/ca-bundle.crt CRLfile: none
* Marked for [closure]: Failed HTTPS connection
* multi_done
* Closing connection 0
* The cache now contains 0 members
curl: (60) server certificate verification failed. CAfile: /etc/pki/tls/certs/ca-bundle.crt CRLfile: none
More details here:

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

>>> Dan
List admin:
Received on 2016-04-13