# curl, wget fail, but openssl says certificate chain is OK



## ccsmith (Oct 30, 2014)

I'm having trouble accessing https://api.owncloud.com using curl and wget: both complain about a self signed certificate in the chain, but openssl s_client says the connection is OK.

Other OSs, Debian and OS X, have no problem accessing the URL through curl. And I can access other HTTPS sites from FreeBSD with no problem, including the the site of the root certificate of the problem site (godaddy.com).

I am running FreeBSD 10-RELEASE and have installed security/ca_root_nss.

If anyone can shed some light on this and/or do some testing of their own, it would be much appreciated.


```
openssl s_client -connect api.owncloud.com:443 -CAfile /usr/local/share/certs/ca-root-nss.crt
CONNECTED(00000003)
depth=3 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
verify return:1
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
verify return:1
depth=0 OU = Domain Control Validated, CN = *.opendesktop.org
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/CN=*.opendesktop.org
  i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
  i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
2 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
  i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
3 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
  i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFLDCCBBSgAwIBAgIHTp8KeqEHMDANBgkqhkiG9w0BAQsFADCBtDELMAkGA1UE
BhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAY
BgNVBAoTEUdvRGFkZHkuY29tLCBJbmMuMS0wKwYDVQQLEyRodHRwOi8vY2VydHMu
Z29kYWRkeS5jb20vcmVwb3NpdG9yeS8xMzAxBgNVBAMTKkdvIERhZGR5IFNlY3Vy
ZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBHMjAeFw0xNDA5MTAwOTQzMzNaFw0x
NjA5MTAwOTQzMzNaMD8xITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRl
ZDEaMBgGA1UEAwwRKi5vcGVuZGVza3RvcC5vcmcwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDLS+v3PiUbN94XwPnSVA9Q7XIWZpssq2Ifoo3Ib1iYnU6N
JAu39Hsz5aUbiA9f47ntAJxgPDNJax85ZApfAo6TonKjqJM1AzhTYJ2QpBuX+t6d
x12jxfA5DQNtNE3j3qtD46b/xQPJymF1ZV4RQ1ow4Sh5VSLN6slyu3VdZO2tOd2A
oQPJx1UDKTItpiHItcwC8jbLGxSydUvNUDIHxWRfZs1zPArR0s6xYEhI0XkUiR0d
lNlYFii0JUWN6btqLJQ+DaeIapreraNQQ4r4mv6/YDQdx2a5AvpRO4iug7aUFLrL
0AbFAIs4G/NdqMQr0/dQJQtQqmo9aqhCjH6hILSxAgMBAAGjggG1MIIBsTAMBgNV
HRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAOBgNVHQ8B
Af8EBAMCBaAwNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5nb2RhZGR5LmNv
bS9nZGlnMnMxLTg3LmNybDBTBgNVHSAETDBKMEgGC2CGSAGG/W0BBxcBMDkwNwYI
KwYBBQUHAgEWK2h0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3Np
dG9yeS8wdgYIKwYBBQUHAQEEajBoMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5n
b2RhZGR5LmNvbS8wQAYIKwYBBQUHMAKGNGh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29k
YWRkeS5jb20vcmVwb3NpdG9yeS9nZGlnMi5jcnQwHwYDVR0jBBgwFoAUQMK9J47M
NIMwojPX+2yz8LQsgM4wLQYDVR0RBCYwJIIRKi5vcGVuZGVza3RvcC5vcmeCD29w
ZW5kZXNrdG9wLm9yZzAdBgNVHQ4EFgQUsWdNSAR9zEmooOb7DfTXyBZJnOwwDQYJ
KoZIhvcNAQELBQADggEBAGhvdaIB6V3YtMgD9VxLp84dCK5s5ZCQfiVt2f5vpZGk
gzuaWiihbsMKtLFmU8c2P76W9eLPk8sFeE28koKbUdh3QUzR3urixLN/I0MsXp0w
MCv+M9n5/28ldVZ6fsDtS75JW2icGJFpXtTvtxRpOMll6bb4VImX4WMmzmVhBCZd
56Liw0Pl8gqYX10DwpyUhpAICl24xf+X8JyllJVaiwjg4aM4fcu72CQjEhpa8OII
hTAaBaKTJEa7HzKYcuM3N+vj9RMToIKclvv3cXUpkodJck863PBHjjSEuUz9ryZv
8s9+FvD9tCf2OHXZhPeWmb6KcSK32ViEzLI6MQuwE1w=
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/CN=*.opendesktop.org
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
---
No client certificate CA names sent
---
SSL handshake has read 5632 bytes and written 507 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
  Protocol  : TLSv1
  Cipher  : DHE-RSA-AES256-SHA
  Session-ID: 38876B8EEFEC1854ED6E11E4D6E0FFA440ED7D83D5D9071F61640DD1885996DA
  Session-ID-ctx:
  Master-Key: F98AA85C39F06ED58D088ABD8A383CFBB1F749C3D91D2ACDA310D03F2911B47CB235BF28FEC61AA1885A6E3B7CFD8886
  Key-Arg  : None
  PSK identity: None
  PSK identity hint: None
  SRP username: None
  TLS session ticket:
  0000 - a3 26 36 46 51 3c 01 cf-a1 d6 bf 0e 69 a6 9d cc  .&6FQ<......i...
  0010 - 94 4c 1d 7c 1a e5 fe be-f0 0d 2f df ed 7d 6d ae  .L.|....../..}m.
  0020 - 46 2d 31 8f ef cf f5 20-da f3 4e 9a 3e b4 ca ab  F-1.... ..N.>...
  0030 - e5 6a ee 09 7e b5 8c 80-4b 76 cc 8d 42 87 70 b6  .j..~...Kv..B.p.
  0040 - f7 35 59 20 80 72 d4 4e-ca 5e 2d 7e 14 29 e3 96  .5Y .r.N.^-~.)..
  0050 - 1a 3a 2b de c7 aa 55 37-26 45 a4 f8 d2 a9 e0 60  .:+...U7&E.....`
  0060 - 4a 13 50 31 3e 23 5c 07-fa cf 71 4e ff bb ec 5c  J.P1>#\...qN...\
  0070 - 2f 0d c3 1d 16 07 52 5c-42 a9 05 11 be f1 7f 3c  /.....R\B......<
  0080 - 74 bc 79 50 09 f0 02 35-7f 21 75 19 10 90 f3 3e  t.yP...5.!u....>
  0090 - 17 0a a0 3d 5d 00 b5 89-dd ac d1 05 35 e2 76 81  ...=].......5.v.
  00a0 - d7 42 db 09 01 51 18 b0-9c 51 8d 90 b5 1d f0 6b  .B...Q...Q.....k
  00b0 - 2b fa 71 a2 ae 3e fb e2-ea fb b5 12 56 e0 76 1e  +.q..>......V.v.

  Start Time: 1414705385
  Timeout  : 300 (sec)
  Verify return code: 0 (ok)
---
```


```
curl -v https://api.owncloud.com
* Rebuilt URL to: https://api.owncloud.com/
* Hostname was NOT found in DNS cache
*  Trying 188.138.118.86...
* Connected to api.owncloud.com (188.138.118.86) port 443 (#0)
* successfully set certificate verify locations:
*  CAfile: /usr/local/share/certs/ca-root-nss.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem: self signed certificate in certificate chain
* Closing connection 0
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
```


----------



## SirDice (Oct 31, 2014)

The answer is staring you right in the face 


```
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
```

You can't verify a self-signed certificate unless you add it to your ca-root-nss.crt file.


----------



## ccsmith (Oct 31, 2014)

The self-signed certificate is from GoDaddy and it _is_ in the ca-root-nss.crt file.


----------



## SirDice (Oct 31, 2014)

If it's from GoDaddy it's not a self-signed certificate.


----------



## ccsmith (Oct 31, 2014)

The root CA certificate is always self-signed, but is trusted because it is in ca-root-nss.crt.

Look again at the certificate chain:


```
Certificate chain
0 s:/OU=Domain Control Validated/CN=*.opendesktop.org
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
2 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
3 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
```

Note that the fourth certificate in the chain, the root CA certificate, is self-signed (subject and issuer are the same), while none of the others are.

As I originally mentioned, openssl s_client verified the certificate chain; there's nothing wrong with it. However, curl, which was built with openSSL, and which is using the same ca-root-nss.crt file, is complaining about the root certificate. curl will, however, happily connect to other servers using certificates from the same ca-root-nss.crt.


----------

