Ubuntu 10.04/CURL: How do I fix/update the CA Bundle?

curl ubuntu

I recently upgraded our server from 8.04 to 10.04, and all the software along with it.

From what I've found online, it seems that the new version of CURL doesn't include a CA bundle, and, as a result, fails to verify that the certificate of the server you're connecting to is signed by a valid authority.

The actual error is:

CURL error: SSL certificate problem, verify that the CA cert is OK.
Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:
certificate verify failed

Some palces I've found suggest manually specifying a CA file or disabling the check altogether by setting an option when you call CURL, but I'd much rather fix the issue globally, rather than having to modify each application's CURL calls.

Is there a way to fix CURL's CA problem server-wide so that all of the existing application code works as is without needing to be modified?


I've been having the same trouble and after poking around a bit found that you can download a package of CA-certs ready for curl on ubuntu directly from the curl dev site.

cd /etc/ssl/certs
sudo wget http://curl.haxx.se/ca/cacert.pem

Now curl uses the most up-to-date bundle and you're good to go.


Had a similar problem with Ubuntu 12.04 running curl from the command line to get aws command-line tools which were in github. I found if I ran the command-line as such:

curl https://raw.github.com/timkay/aws/master/aws -o aws --cacert /etc/ssl/certs/ca-certificates.crt

it would work. But trying to set the CURL_CA_BUNDLE environment variable so I could avoid the "cacert" argument would not work. Ultimately updating the ca-certificates seemed to resolve the problem:

sudo update-ca-certificates

As a side note, at one point I updated ca-certs from curl.haxx.se which did not resolve the problem but may have been related. (sudo wget http://curl.haxx.se/ca/cacert.pem run from /etc/ssl/certs).


Typically, software that does not have a unique implementation and is compiled against OpenSSL will reference the system-wide ca-bundle.crt often located in /usr/share/ssl/certs.

The location may be different in Ubuntu but the OpenSSL package should include the ca-bundle file.

CURL has a variety of options to specify how it verifies certificates..

  • The CURL_CA_BUNDLE environment variable for the location of the ca-bundle file.
  • --capath allows you to specify the directory where CA certificates are located. (Overrides CURL_CA_BUNDLE)
  • --cacert allows you to specify the CA certificate file.

On my CentOS server, I can run the following to identify the ca-bundle path that CURL uses:

$ curl-config --ca
/usr/share/ssl/certs/ca-bundle.crt

Related

Ubuntu - * at the end of filename?
Using bash, how can i find out the average, max and min from a list of numbers?
What causes duplicate ACK records?
Why bracket a single letter in a grep regex?
How to set multiple subdomains in the host file (DNS)?
How much VPS ram would I need to run Wordpress, Apache, SVN & MySQL?
Is Zabbix the right tool for me?
Find GUID of MSI Package
exportfs: Warning: /home/user/share does not support NFS export
What does "master" mean in "git push origin master"
tool for splitting pcap files by TCP connection? [closed]
ia32-libs : Depends: ia32-libs-i386 but it is not installable