Curl SSL verify error

ThinkingNull · 4 December 2021 12:40

Hello,

I ran this command:
curl -kvslI https://acme-staging-v02.api.letsencrypt.org
or
sudo curl -kvslI https://acme-staging-v02.api.letsencrypt.org --cacert /etc/ssl/certs/ca-certificates.crt

It produced this output:

*   Trying 2606:4700:60:0:f41b:d4fe:4325:6026:443...
* Connected to acme-staging-v02.api.letsencrypt.org (2606:4700:60:0:f41b:d4fe:4325:6026) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=acme-staging-v02.api.letsencrypt.org
*  start date: Nov 29 03:39:54 2021 GMT
*  expire date: Feb 27 03:39:53 2022 GMT
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x563d7685c800)
> HEAD / HTTP/2
> Host: acme-staging-v02.api.letsencrypt.org
> user-agent: curl/7.80.0
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200 
HTTP/2 200 
< server: nginx
server: nginx
< date: Sat, 04 Dec 2021 12:32:56 GMT
date: Sat, 04 Dec 2021 12:32:56 GMT
< content-type: text/html
content-type: text/html
< content-length: 2190
content-length: 2190
< last-modified: Tue, 17 Aug 2021 18:38:08 GMT
last-modified: Tue, 17 Aug 2021 18:38:08 GMT
< etag: "611c0210-88e"
etag: "611c0210-88e"
< x-frame-options: DENY
x-frame-options: DENY
< strict-transport-security: max-age=604800
strict-transport-security: max-age=604800

< 
* Connection #0 to host acme-staging-v02.api.letsencrypt.org left intact

As you can see

SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway

Why is it so? This problem only occurs in the manjaro system, curl comes with the installation image

My computer:

curl 7.80.0 (x86_64-pc-linux-gnu) libcurl/7.80.0 OpenSSL/1.1.1l zlib/1.2.11 brotli/1.0.9 zstd/1.5.0 libidn2/2.3.2 libpsl/0.21.1 (+libidn2/2.3.0) libssh2/1.10.0 nghttp2/1.46.0
Linux 5.14.21-2-MANJARO #1 SMP PREEMPT Sun Nov 21 22:43:47 UTC 2021 x86_64

Ref: Curl SSL verify error - Help - Let's Encrypt Community Support

xabbu · 4 December 2021 12:58

Do not use the -k option. With -k , no check is done and no cert store is loaded. If you want to verify a cert you can’t use -k .

Try:

curl -vslI https://acme-staging-v02.api.letsencrypt.org

This is a rather new behavior in curl Version 7.80.0. In previous versions, even with -k , the ca store was loaded. See

system · 7 December 2021 02:59

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.