# Curl - SSL certificate problem



## nerozero (Aug 8, 2016)

Hello,

I getting 
	
	



```
SSL certificate problem: unable to get local issuer certificate
```
 message on all sites:


```
# curl -v https://freebsd.org
* Rebuilt URL to: https://freebsd.org/
*  Trying 8.8.178.110...
*  Trying 2001:1900:2254:206a::50:0...
* Immediate connect fail for 2001:1900:2254:206a::50:0: No route to host
* Connected to freebsd.org (8.8.178.110) port 443 (#0)
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* NPN, negotiated HTTP1.1
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, Client hello (1):
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
```

FreeBSD version: 10.3-RELEASE

```
curl --version
curl 7.50.1 (i386-portbld-freebsd10.3) libcurl/7.50.1 OpenSSL/1.0.1s zlib/1.2.8
```

Also /etc/ssl/cert.pem is linked to /usr/local/share/certs/ca-root-nss.crt

Thanks


----------



## SirDice (Aug 8, 2016)

Is security/ca_root_nss up to date?


----------



## nerozero (Aug 8, 2016)

```
pkg info | grep ca_root
ca_root_nss-3.26  Root certificate bundle from the Mozilla Project
```


----------



## Murph (Aug 8, 2016)

Do you have some form of SSL proxy involved (either locally, or at your ISP)?  The behaviour you are seeing could be a symptom of a man in the middle attack against SSL.  SSL is fundamentally incompatible with middle of the network proxies, by intentional design.

That said, I don't know for certain if that error message is indicating a problem verifying the remote server's certificate, or a problem with a local client certificate.  Have you been playing around with certificates and the like at your end?

For reference, the certificate from https://freebsd.org/ should look like this in `curl -v https://freebsd.org/`:

```
* Server certificate:
*  subject: OU=Domain Control Validated; OU=Gandi Standard Wildcard SSL; CN=*.freebsd.org
*  start date: Nov  5 00:00:00 2015 GMT
*  expire date: Dec  1 23:59:59 2016 GMT
*  subjectAltName: host "freebsd.org" matched cert's "freebsd.org"
*  issuer: C=FR; ST=Paris; L=Paris; O=Gandi; CN=Gandi Standard SSL CA 2
*  SSL certificate verify ok.
```

Something you could try as a diagnostic (but not recommended as a solution, for obvious reasons), is `curl -v --insecure https://freebsd.org/`, to disable certificate authentication.


----------



## nerozero (Aug 8, 2016)

Thanks for replying,
but I have strong feeling, that this is a some kind of cert location/accessing issue.


```
# curl -vI --cacert /etc/ssl/cert.pem https://freebsd.org/

*  Trying 8.8.178.110...
*  Trying 2001:1900:2254:206a::50:0...
* Immediate connect fail for 2001:1900:2254:206a::50:0: No route to host
* Connected to freebsd.org (8.8.178.110) port 443 (#0)
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* NPN, negotiated HTTP1.1
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Unknown (67):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* Server certificate:
*  subject: OU=Domain Control Validated; OU=Gandi Standard Wildcard SSL; CN=*.freebsd.org
*  start date: Nov  5 00:00:00 2015 GMT
*  expire date: Dec  1 23:59:59 2016 GMT
*  subjectAltName: host "freebsd.org" matched cert's "freebsd.org"
*  issuer: C=FR; ST=Paris; L=Paris; O=Gandi; CN=Gandi Standard SSL CA 2
*  SSL certificate verify ok.
> HEAD / HTTP/1.1
> Host: freebsd.org
> User-Agent: curl/7.50.1
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
HTTP/1.1 301 Moved Permanently
< Date: Mon, 08 Aug 2016 15:14:53 GMT
Date: Mon, 08 Aug 2016 15:14:53 GMT
< Content-Length: 0
Content-Length: 0
< Connection: keep-alive
Connection: keep-alive
< Server: Varnish
Server: Varnish
< X-Varnish: 354271037
X-Varnish: 354271037
< Location: https://www.freebsd.org/
Location: https://www.freebsd.org/
< Strict-Transport-Security: max-age=31536000
Strict-Transport-Security: max-age=31536000
```

This is a newly installed system, I just tried to install git port, then I face problem with git clone ...

Is there a way to see what is the path of certificate file hardcoded into curl ?


----------



## ondra_knezour (Aug 8, 2016)

From the curl-config(1)


> *SYNOPSIS*
> *curl-config* *[options]*
> 
> *DESCRIPTION*
> ...


----------



## nerozero (Aug 8, 2016)

`curl-config --ca` return nothing

```
# curl-config --ca

#
```

here is a listing of `curl-config --configure` (reformatted  for easier reading)

```
# curl-config --configure
'--disable-werror'
'--enable-imap'
'--enable-pop3'
'--enable-rtsp'
'--enable-smtp'
'--with-zsh-functions-dir=/usr/local/share/zsh/site-functions'
'--without-axtls'
'--without-ca-bundle'
'--enable-cookies'
'--disable-curldebug'
'--disable-debug'
'--without-nghttp2'
'--without-libidn'
'--enable-ipv6'
'--disable-ldap'
'--disable-ldaps'
'--without-libssh2'
'--without-libmetalink'
'--enable-proxy'
'--without-libpsl'
'--without-librtmp'
'--enable-tls-srp'
'--with-gssapi=/usr'
'CFLAGS=-I/usr/include -O2 -pipe  -isystem /usr/local/include -fstack-protector -fno-strict-aliasing'
'LDFLAGS=-L/usr/lib  -L/usr/lib -L/usr/lib -L/usr/local/lib -L/usr/lib -fstack-protector'
'LIBS=-lkrb5 -lgssapi -lgssapi_krb5 -lkrb5 -lgssapi -lgssapi_krb5'
'KRB5CONFIG=/usr/bin/krb5-config'
'--disable-ares'
'--enable-threaded-resolver'
'--without-gnutls'
'--without-nss'
'--with-ssl=/usr'
'--without-polarssl'
'--without-cyassl'
'--prefix=/usr/local'
'--localstatedir=/var'
'--mandir=/usr/local/man'
'--infodir=/usr/local/info/'
'--build=i386-portbld-freebsd10.3'
'build_alias=i386-portbld-freebsd10.3'
'CC=cc'
'CPPFLAGS=-I/usr/include -I/usr/include -isystem /usr/local/include'
'CPP=cpp'
```

curl was compiled using default settings.

```
[ ] CA_BUNDLE  Install CA bundle for OpenSSL  
[x] COOKIES  Cookies support  
[ ] CURL_DEBUG  cURL debug memory tracking  
[ ] DEBUG  Build with debugging support  
[x] DOCS  Build and/or install documentation  
[x] EXAMPLES  Build and/or install examples  
[ ] HTTP2  HTTP protocol version 2.0 support  
[ ] IDN  International Domain Names support  
[x] IPV6  IPv6 protocol support  
[ ] LDAP  LDAP protocol support  
[ ] LDAPS  LDAP protocol over SSL support  
[ ] LIBSSH2  SCP/SFTP support via libssh2  
[ ] METALINK  Metalink support  
[x] PROXY  Proxy support  
[ ] PSL  Public Suffix List support  
[ ] RTMP  RTMP protocol support via librtmp  
[x] TLS_SRP  TLS-SRP (Secure Remote Password) support  
---------------------- GSSAPI Security API support ----------------------
(*) GSSAPI_BASE  GSSAPI support via base system (Kerberos required)
( ) GSSAPI_HEIMDAL  GSSAPI support via security/heimdal  
( ) GSSAPI_MIT  GSSAPI support via security/krb5  
( ) GSSAPI_NONE  Disable GSSAPI support  
------------------------- DNS resolving options -------------------------
( ) CARES  Asynchronous DNS resolution via c-ares  
(*) THREADED_RESOLVER  Threaded DNS resolver  
-------------------------- SSL protocol support -------------------------
( ) GNUTLS  SSL/TLS support via GnuTLS  
( ) NSS  SSL/TLS support via NSS  
(*) OPENSSL  SSL/TLS support via OpenSSL  
( ) POLARSSL  SSL/TLS support via PolarSSL  
( ) WOLFSSL  SSL/TLS support via wolfSSL
```


----------



## Murph (Aug 8, 2016)

nerozero said:


> curl was compiled using default settings.
> 
> ```
> [ ] CA_BUNDLE  Install CA bundle for OpenSSL
> ...



No it wasn't.  CA_BUNDLE is enabled by default, and looks like it is the issue here.  `make rmconfig` to return to default port config.


----------



## nerozero (Aug 8, 2016)

Ouch, my fault. Probably I click space bar in config session.  
Thank you.


----------

