Does cURL accept a CA that is not self signed?

Hi Everyone,

I'm having trouble connecting to a server that uses Let's Encrypt. The
code is below. The error is:

    Error: Failed to download file, error 60, SSL peer
    certificate or SSH remote key was not OK.

The code is below, and the real code performs error checking. The only
failure is the download.

    // Let's Encrypt Authority X3. Looks OK with 'openssl x509'
    const char ca[] = "./letsencrypt-ca.pem";
    ...

    curl = curl_easy_init();
    curl_easy_setopt (curl, CURLOPT_URL, url);
    curl_easy_setopt (curl, CURLOPT_CAINFO, ca);
    curl_easy_setopt (curl, CURLOPT_WRITEDATA, fp);

    res = curl_easy_perform(curl);
    if (res != CURLE_OK)
    {
        log_error("Failed to download file, error %d, %s.\n", res,
curl_easy_strerror(res));
    }

The only thing I can think of is, cURL does not accept a CA that is
not self signed. If that is the case, is it possible to opt-out of the
RFC 4158 requirement. In OpenSSL the option I want/need is
X509_V_FLAG_PARTIAL_CHAIN. (As far as I know, the only place that
effectively forbids non-self signed CA's is the path building RFC).

Does anyone spot anything out of the ordinary?

Jeff
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2019-11-28