CURL not correctly applying CA certificate file

Question

I can't get curl to validate the SSL cert for https://testintegrations.pentanasolutions.com/iTestDriveService. It works fine in my web browser. The certificate is signed by DigiCert which I thought perhaps was not included in the bundle on my linux box.

To try and work around that I extracted the CA certificates from my windows machine in the the AllCA.pem file (which can be seen in this gist and told curl to use that. The ssl validation still failed. I then tried just extracting the DigiCert root certificate by viewing the certificate chain from the browser and using just this cert with curl. It still doesn't validate the certificate. Here is the DigiCert.pem file.

-----BEGIN CERTIFICATE-----
MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
ZSBFViBSb290IENBMB4XDTA2MTExMDAwMDAwMFoXDTMxMTExMDAwMDAwMFowbDEL
MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
LmRpZ2ljZXJ0LmNvbTErMCkGA1UEAxMiRGlnaUNlcnQgSGlnaCBBc3N1cmFuY2Ug
RVYgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbM5XPm
+9S75S0tMqbf5YE/yc0lSbZxKsPVlDRnogocsF9ppkCxxLeyj9CYpKlBWTrT3JTW
PNt0OKRKzE0lgvdKpVMSOO7zSW1xkX5jtqumX8OkhPhPYlG++MXs2ziS4wblCJEM
xChBVfvLWokVfnHoNb9Ncgk9vjo4UFt3MRuNs8ckRZqnrG0AFFoEt7oT61EKmEFB
Ik5lYYeBQVCmeVyJ3hlKV9Uu5l0cUyx+mM0aBhakaHPQNAQTXKFx01p8VdteZOE3
hzBWBOURtCmAEvF5OYiiAhF8J2a3iLd48soKqDirCmTCv2ZdlYTBoSUeh10aUAsg
EsxBu24LUTi4S8sCAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQF
MAMBAf8wHQYDVR0OBBYEFLE+w2kD+L9HAdSYJhoIAu9jZCvDMB8GA1UdIwQYMBaA
FLE+w2kD+L9HAdSYJhoIAu9jZCvDMA0GCSqGSIb3DQEBBQUAA4IBAQAcGgaX3Nec
nzyIZgYIVyHbIUf4KmeqvxgydkAQV8GK83rZEWWONfqe/EW1ntlMMUu4kehDLI6z
eM7b41N5cdblIZQB2lWHmiRk9opmzN6cN82oNLFpmyPInngiK3BD41VHMWEZ71jF
hS9OMPagMRYjyOfiZRYzy78aG6A9+MpeizGLYAiJLQwGXFK3xPkKmNEVX58Svnw2
Yzi9RKR/5CYrCsSXaQ3pjOLAEFe4yHYSkVXySGnYvCoCWw9E1CAx2/S6cCZdkGCe
vEsXCS+0yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep
+OkuE6N36B9K
-----END CERTIFICATE-----

The specific curl command I am running is:

curl -G https://testintegrations.pentanasolutions.com/iTestDriveService --cacert DigiCert.pem -v

Which produces this output:

* About to connect() to testintegrations.pentanasolutions.com port 443 (#0)
*   Trying 203.25.42.36... connected
* Connected to testintegrations.pentanasolutions.com (203.25.42.36) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: /Volumes/C/Users/caleb/Desktop/DigiCert2.cer
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
* Closing connection #0
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

The insecure option is not an option so I need to find a way to validate the certificate correctly.

Can anyone explain why this isn't working?

As a kind of sanity check I tried:

curl -G https://www.google.com.au --cacert DigiCert.pem -v

Which worked, which I find very odd as the DigiCert.pem file does not include the root certificate that google's cert is signed by. Which makes me wonder if curl is even using my ca file at all.

Answer 1

Should it benefit others, I had the same issue, though the root cause for me was server side.

I could connect to FTP over SSL using a FileZilla client, but got the above exception when using cURL. My server was running FileZilla server. After a lot of investigation I found the issue was I'd pointed FileZilla at my CRT file, but this only contained my certificate; not the intermediate one. By amending this CRT file to include both certificate's codes, all was good.

More info here: https://forum.filezilla-project.org/viewtopic.php?t=13281 (specifically post by Tim Kosse at 2009-10-01 13:01).

Answer 2

I've exported he certificates from a successful connection with Firefox and the serial numbers don't match. Also, I get the following verification chain:

1. DigiCert High Assurance EV Root CA (your DigiCert.pem)
2. DigiCert High Assurance CA-3
3. *.pentasolutions.com

Only the first certificate is initially known by the Browser, because it is builtin. So the website is required to pass not only the last certificate (#3) but also all CAs in between (#2) to make verification possible. But the website sends only #3 and omit the chain #2. In this case verification is only possible, if the browser knows these intermediate CAs from previous connections to other hosts. So if I use a new Firefox profile the verification fails also with Firefox because of the missing intermediate certificate.

Unfortunately it is a very common error to forget to configure the certificate chain in the web server, because verification only fails if the browser does not remember the intermediate certificates from previous connections.