5

I am trying to connect to a site behind a firewall, that is why I cannot share the URL for verification.

$ curl -vvvv https://example.com:8080/foo/ba/?wsdl --cacert /tmp/cacert-2018-12-05.pem 
*   Trying a.b.c.d...
* TCP_NODELAY set
* Connected to example.com (a.b.c.d) port 8080 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /tmp/cacert-2018-12-05.pem
  CApath: /etc/ssl/certs
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* stopped the pause stream!
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

How can that be?

Does it mean the intermediate cannot be pulled properly? But why does it work with the Browser?

The chain looks like this: enter image description here

And the "DigiCert Global Root G2" is in the cacert.pem I am using.

But not the Thawte TLS RSA CA G1.

Alex
  • 1,207
  • 1
  • 10
  • 9

2 Answers2

7

Does it mean the intermediate cannot be pulled properly?

While it cannot be said definitely from the few information this is a typical misconfiguration which results in what you see.

But why does it work with the Browser?

Browsers try to work around such misconfiguration by using cached intermediate certificates from previous connections (Firefox) or even trying to retrieve the missing certificate based on the issuer information (Chrome). Other tools usually do not work around such misconfiguration.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • "While it cannot be said definitely from the few information " Which more information can I look at / supply to be sure? – Alex Dec 18 '18 at 09:54
  • Second question: How can I clear the cached certificates from intermediate certificates in Firefox? – Alex Dec 18 '18 at 10:01
  • 1
    This helps: https://support.mozilla.org/en-US/kb/refresh-firefox-reset-add-ons-and-settings?redirectlocale=en-US&redirectslug=reset-firefox-easily-fix-most-problems After refreshing firefox I get a cert warning, so that is the case. – Alex Dec 18 '18 at 10:16
3

That's because Chrome and FF support AIA (Authority Information Access) and curl does not. AIA is an SSL extension that provides information about the issuer and intermediate cert can be downloaded "on the fly".

fakej Gazeta.pl
  • 31
  • 1