Starbeamrainbowlabs

Stardust
Blog

Using the ca-bundle to prevent certificate errors in curl

When you first download and install curl and you try to request something over https, it's likely that you will get an error along these lines:

curl: (60) SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

You might think that you can bypass this with the --insecure or -k option, but this is insecure as it means that curl isn't checking the identity of the remote server before downloading the the file in question, leaving you open to a man in the middle attack. The solution: Point curl at a bundle of root certificates that it can use to verify a server's identity.

Since curl doesn't pay attention to the certificate store on windows, we have to provide it with a file that contains these root certificates instead. This can be done by running a script provided by the curl develoeprs that automatically downloads the certificates from Mozilla Firefox's source code and compiles them into a format the curl can understand.

Here's a direct link to the script: mk-ca-bundle.pl

Simply download and run that script, and it will generate a file called ca-bundle.crt in the current directory. Rename it to curl-ca-bundle.crt, and copy it to the directory that you installed curl to. Curl will find it when you next request something over https.

Alternatively, you can set the CURL_CA_BUNDLE environment variable to the full path to the ca-bundle.crt file. If you can't copy it to the folder that you installed curl to.

If you can't run the above script, then you can download a ready-made version from this website. My server will update it automatically at 1am UK time every Saturday.

Here's a link: ca-bundle.crt

Tag Cloud

3d 3d printing account algorithms android announcement architecture archives arduino artificial intelligence artix assembly async audio automation backups bash batch blender blog bookmarklet booting bug hunting c sharp c++ challenge chrome os cluster code codepen coding conundrums coding conundrums evolved command line compilers compiling compression containerisation css dailyprogrammer data analysis debugging demystification distributed computing dns docker documentation downtime electronics email embedded systems encryption es6 features ethics event experiment external first impressions freeside future game github github gist gitlab graphics hardware hardware meetup holiday holidays html html5 html5 canvas infrastructure interfaces internet interoperability io.js jabber jam javascript js bin labs learning library linux lora low level lua maintenance manjaro minetest network networking nibriboard node.js open source operating systems optimisation own your code pepperminty wiki performance phd photos php pixelbot portable privacy problem solving programming problems project projects prolog protocol protocols pseudo 3d python reddit redis reference release releases rendering resource review rust searching secrets security series list server software sorting source code control statistics storage svg systemquery talks technical terminal textures thoughts three thing game three.js tool tutorial tutorials twitter ubuntu university update updates upgrade version control virtual reality virtualisation visual web website windows windows 10 worldeditadditions xmpp xslt

Archive

Art by Mythdael