cURL / Mailing Lists / curl-library / Single Mail


Re: Unknown SSL protocol error in connection

From: Brian Dessent <>
Date: Mon, 24 Nov 2008 17:41:43 -0800 wrote:

> --trace-ascii -k --cacert /app_home/mycert.pem --url
> [...]
> == Info: SSL certificate problem, verify that the CA cert is OK. Details:
> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
> failed
> [...]
> so exactly what do I need to do to test this? This is definitely something
> I'll have to post at the OpenSSL forums, but I was hoping (with my
> ignorance of SSL) someone might be able to give me some pointers without me
> having to post to the OpenSSL people asking something completely ignorant.

I think you are misunderstanding what is being verified. The thing that
you pass with --cacert should be a bundle of CA certificates to verify
the remote site. Thus, presents your end with its
certificate and libcurl uses the thing provided by --cacert to verify
that is who they say they are according to some
well-known certificate authority (CA) who signed their cert. If you
don't have that well-known authority's certificate (in this case
Godaddy) in your CA bundle, then you can't verify that
is who they say they are.

It seems like you have generated a self-signed certificate and passed
that as --cacert. That doesn't make any sense. A self-signed
certificate can do nothing to verify the certificate that is presenting, which is all that curl is trying to do.
(Also, passing -k and --cacert both at the same time makes no sense
either, they are saying opposite things.)

What is it exactly that you are trying to achieve?

Do you want to access public https: sites and verify their certificates
to know with certainty that they are who they say they are? Then you
need to use a bundle containing root certs of all the well-known and
trusted public CAs, such as what comes with your browser (or from

Do you want to set up your own https: site, with a fake snake oil
self-signed cert for testing? In that case, you need to generate your
own snake oil CA, then generate and sign your server's cert with that
CA's cert, then install the resulting cert on the server, and then hit
that server's https: url with curl, passing your CA's cert to curl with
--cacert so it can use it to verify the cert that your server presents.
The commands to do all these things are a little complicated but they're
all covered in the openssl documentation.

Received on 2008-11-25