CODEWITHSUNDEEP
sslcurlopenssl
lelandbatey
lelandbatey

Reputation: 191

cURL says certificate is expired, Firefox disagrees

I'm trying to access an internal site via cURL (which I could access several days ago). However, cURL gives the error curl: (60) SSL certificate problem: certificate has expired. If I use openssl to check the start and end dates of the certificate, it gives a timeframe that I'm well within:

echo | openssl s_client -connect internalsite.example.com:443 2>/dev/null | openssl x509 -noout -dates
notBefore=Nov 30 00:00:00 2012 GMT
notAfter=Mar 30 12:00:00 2016 GMT
# For reference, the day I'm posting this is July 30th, 2014

Additionally, if I use cURL on a different computer, or connect via the browser (Firefox, Chrome, or IE), I can connect without error.

Also, I'm unable to connect with any version of cURL on my own computer; this includes cURL in Cygwin and cURL on Ubuntu inside a virtual machine, as well as the Windows version.

What might give rise to this behaviour?

Upvotes: 11

Views: 17068

Answers (3)

sylbru
sylbru

Reputation: 1609

If you need a quick and temporary workaround, you can always disable SSL verification, as shown below. Don’t do that if you can avoid it, especially in production or if that request is transmitting sensitive data. Remember that you might be making a request to https://stackoverflow.com but actually sending data to another computer entirely.

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

Upvotes: 3

Jason Rohrer
Jason Rohrer

Reputation: 523

My curl is using the certificate bundle stored in:

/etc/ssl/certs/ca-certificates.crt

I've had this problem in the past, and I fixed it by looking at a machine where curl was working and comparing the .crt files from those two machines, and copying the missing certificate over.

I just had this problem again, and I fixed it this time by just copying the entire file over from the newer machine (a more recent Ubuntu install----the machine where I have the problem is ancient).

And it worked.

Upvotes: 2

Jaime
Jaime

Reputation: 1410

Your cert bundle is probably out of date.

You can get one that's maintained by the curl developers at http://curl.haxx.se/ca/cacert.pem

To use it:

<?
$ch = curl_init("http://example.com");
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_CAINFO, '/path/to/cacert.pem');
$response = curl_exec($ch);

Upvotes: 4

Related Questions