curl / Mailing Lists / curl-library / Single Mail


Re: peer certificate cannot be authenticated: osx works, windows doesn't

From: Ray Satiro via curl-library <>
Date: Mon, 6 Nov 2017 14:02:19 -0500

On 11/6/2017 10:38 AM, Thomas Blom via curl-library wrote:
> Using curl 7.56.0, built against openssl-1.0.2l, I am using
> curl_easy_perform() to post to a server and receive results into a
> file using the CURLOPT_WRITEDATA and an open file handle.
> This worked fine under both OSX and Windows using an http url, but
> when I use https, having installed certificates on the aws-linux
> server, I find that while OSX still works fine, windows (v10) now
> fails with error 60, "Peer certificate cannot be authenticated with
> given CA certificates".
> The certs are cheap ones - PositiveSSL via Comodo.  
> Reading, I think I understand
> that this depends on the CA "store" being used on the OS, so my guess
> was that OSX is trusting PostiveSSL, but Windows is not.  But, I find
> that if I navigate to this site with MS Edge, which presumably uses
> the same OS CA-store, it is fine with the https site, using those same
> certs.
> I see in the doc referenced that I can defeat the peer validation with
> curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE), but I'd prefer
> a better solution, which may be just buying better certs?  This is
> software that is to be distributed and used by lots of folks, so it's
> not an option to just update the CA store on my windows machine so
> that this cert is trusted.

Disabling ssl verification for software in production is of very limited
use and usually wrong. In most cases you will want your https transfers
protected and authenticated. Check that your computer's date and time is
correct and that your certificate is not expired. Since it is working in
Edge those things are probably ok.

MS Edge is using the native certificate store because it's using the
native Schannel SSL (what we also call WinSSL). curl w/ OpenSSL in
Windows does not do that, instead you have to supply the SSL
certificates. There is not enough information in your report to tell
whether you are supplying them. You can download a standard certificate
bundle [1] and rename it from cacert.pem to curl-ca-bundle.crt and put
it in the same directory as your curl.exe. For libcurl you will need to
set CURLOPT_CACERT [2] with the location. Over time those certificates
change and may need to be updated. You could avoid all this by building
curl to use WinSSL instead, and then it will use the built in
certificates that are updated automatically by Microsoft.

My last guess as to what's happening if those things don't fit is your
server is not configured properly to send all the required intermediate
certificates. That is an error I've seen a few times and often missed in
testing. The reason is some clients will cache intermediate certificates
received from a server and then use those certificates when they are
missing from other servers. Firefox (NSS) and Windows (SChannel) do
that. So someone will test in Firefox and think well their website works
but actually Firefox (or NSS I guess) is being helpful and just filling
in the blanks. And it may or may not work in some other Firefox
depending on whether the intermediate has been cached. As far as I know,
OpenSSL will not cache intermediates received from a server and that is
perfectly acceptable since it is your server's responsibility to include
those intermediates. Check that your server is sending all the required

If you still need help please reply with more information, preferably
your curl_version() and some way we can use to reproduce. (Keep in mind
this is a public mailing list so please don't post anything sensitive.)


Received on 2017-11-06