{"id":11503,"date":"2018-11-07T07:58:20","date_gmt":"2018-11-07T06:58:20","guid":{"rendered":"https:\/\/daniel.haxx.se\/blog\/?p=11503"},"modified":"2024-01-31T09:09:53","modified_gmt":"2024-01-31T08:09:53","slug":"get-the-ca-cert-for-curl","status":"publish","type":"post","link":"https:\/\/daniel.haxx.se\/blog\/2018\/11\/07\/get-the-ca-cert-for-curl\/","title":{"rendered":"Get the CA cert for curl"},"content":{"rendered":"\n

When you use curl to communicate with a HTTPS site (or any other protocol that uses TLS), it will by default verify that the server is signed by a trusted Certificate Authority (CA). It does this by checking the CA bundle it was built to use, or instructed to use with the –cacert<\/a> command line option.<\/p>\n\n\n\n

Sometimes you end up in a situation where you don’t have the necessary CA cert in your bundle. It could then look something like this:<\/p>\n\n\n\n

$ curl https:\/\/example.com\/\ncurl: (60) SSL certificate problem: self signed certificate\nMore details here: https:\/\/curl.se\/docs\/sslcerts.html<\/span><\/pre>\n\n\n\n
Do not disable!<\/h2>\n\n\n\n
A first gut reaction could be to disable the certificate check. Don’t do that. You’ll just make that end up in production or get copied by someone else and then you’ll spread the insecure use to other places and eventually cause a security problem.<\/p>\n\n\n\n
Get the CA cert<\/h2>\n\n\n\n
I’ll show you four different ways to fix this.<\/p>\n\n\n\n
1. Update your OS CA store<\/h5>\n\n\n\n
Operating systems come with a CA bundle of their own and on most of them, curl is setup to use the system CA store. A system update often makes curl work again.<\/p>\n\n\n\n
This of course doesn’t help you if you have a self-signed certificate or otherwise use a CA that your operating system doesn’t have in its trust store.<\/p>\n\n\n\n
2. Get an updated CA bundle from us<\/h5>\n\n\n\n
curl can be told to use a separate stand-alone file as CA store, and conveniently enough curl provides an updated one on the curl web site<\/a>. That one is automatically converted from the one Mozilla provides for Firefox, updated daily. It also provides a little backlog so the ten most recent CA stores are available.<\/p>\n\n\n\n
If you agree to trust the same CAs that Firefox trusts. This is a good choice.<\/p>\n\n\n\n
3. Get it with openssl<\/h5>\n\n\n\n
Now we’re approaching the less good options. It’s way better to get the CA certificates via other means than from the actual site you’re trying to connect to!<\/p>\n\n\n\n
This method uses the openssl command line tool<\/a>. The servername option used below is there to set the SNI field<\/a>, which often is necessary to tell the server which actual site’s certificate you want.<\/p>\n\n\n\n
$ echo quit | openssl s_client -showcerts -servername server -connect server:443 > cacert.pem<\/span><\/pre>\n\n\n\n
A real world example, getting the certs for daniel.haxx.se and then getting the main page with curl using them:<\/p>\n\n\n\n
$ echo quit | openssl s_client -showcerts -servername daniel.haxx.se -connect daniel.haxx.se:443 > cacert.pem\n\n$ curl --cacert cacert.pem https:\/\/daniel.haxx.se\n<\/span><\/pre>\n\n\n\n
4. Get it with Firefox<\/h5>\n\n\n\n
Suppose you’re browsing the site already fine with Firefox. Then you can do inspect it using the browser and export to use with curl.<\/p>\n\n\n\n
Step 1 – click the i in the circle on the left of the URL in the address bar of your browser.<\/p>\n\n\n\n
Step 2 – click the right arrow on the right side in the drop-down window that appeared.<\/p>\n\n\n
\n
\"\"<\/a><\/figure>\n<\/div>\n\n\n
Step 3 – new contents appeared, now click the “More Information” at the bottom, which pops up a new separate window…<\/p>\n\n\n
\n
\"\"<\/a><\/figure>\n<\/div>\n\n\n
Step 4 – Here you get security information from Firefox about the site you’re visiting. Click the “View Certificate” button on the right. It pops up yet another separate window.<\/p>\n\n\n
\n
\"\"<\/a><\/figure>\n<\/div>\n\n\n
Step 5 – in this window full of certificate information, select the “Details” tab…<\/p>\n\n\n
\n
\"\"<\/a><\/figure>\n<\/div>\n\n\n
Step 6 – when switched to the details tab, there’s the certificate hierarchy shown at the top and we select the top choice there. This list will of course look different for different sites<\/p>\n\n\n
\n
\"\"<\/a><\/figure>\n<\/div>\n\n\n
Step 7 – now click the “Export” tab at the bottom left and save the file (that uses a .crt extension) somewhere suitable.<\/p>\n\n\n\n
If you for example saved the exported certificate using in \/tmp, you could then use curl with that saved certificate something like this:<\/p>\n\n\n\n
$ curl --cacert \/tmp\/GlobalSignRootCA-R3.crt https:\/\/curl.se<\/span><\/pre>\n\n\n\n
But I’m not using openssl!<\/h2>\n\n\n\n
This description assumes you’re using a curl that uses a CA bundle in the PEM format, which not all do – in particular not the ones built with NSS, Schannel (native Windows) or Secure Transport (native macOS and iOS) don’t.<\/p>\n\n\n\n
If you use one of those, you need to then add additional command to import the PEM formatted cert into the particular CA store of yours.<\/p>\n\n\n\n
A CA store is many PEM files concatenated<\/h2>\n\n\n\n
Just concatenate many different PEM files into a single file to create a CA store with multiple certificates.<\/p>\n","protected":false},"excerpt":{"rendered":"
When you use curl to communicate with a HTTPS site (or any other protocol that uses TLS), it will by default verify that the server is signed by a trusted Certificate Authority (CA). It does this by checking the CA bundle it was built to use, or instructed to use with the –cacert command line … Continue reading Get the CA cert for curl<\/span> →<\/span><\/a><\/p>\n","protected":false},"author":5,"featured_media":11526,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7,393,133],"tags":[33,86,193,381],"class_list":["post-11503","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-curl","category-firefox-floss","category-security","tag-curl-and-libcurl","tag-firefox","tag-openssl","tag-tls"],"_links":{"self":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/11503","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/comments?post=11503"}],"version-history":[{"count":23,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/11503\/revisions"}],"predecessor-version":[{"id":24159,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/11503\/revisions\/24159"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/media\/11526"}],"wp:attachment":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/media?parent=11503"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/categories?post=11503"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/tags?post=11503"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}