Join Log in
Score:0
Guy avatar Server

curl with --cacert fails on almalinux8 but works on ubuntu

km flag
Guy

We try this:

curl -v --cacert  cert.pem https://example.com/path.asmx

on ubuntu its working, we're getting:

successfully set certificate verify locations:
*   CAfile: cert.pem
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server did not agree to a protocol
* Server certificate:

on almalinux8 it's failing with:

* successfully set certificate verify locations:
*   CAfile: cert.pem
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

What can be the cause?

Thanks

29
2 + 1
ssl
br flag
garethTheRed
What is the contents of `cert.pem`?
1
Reply
Score:1
Steffen Ullrich avatar Server
se flag
Steffen Ullrich 
* successfully set certificate verify locations:
*   CAfile: cert.pem
  CApath: /etc/ssl/certs

Since cert.pem is probably the same on both invocation the difference is likely in /etc/ssl/certs. I would assume that cert.pem does not actually contain the trusted root CA used by the server certificate, but that it is inside /etc/ssl/certs on one machine but not on the other.

Why the CA is on one machine but not on the other is unknown, might it is maybe caused by different setups of the machines.

* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.3 (IN), TLS handshake, Certificate (11):

The server asks for a client certificate here. This suggests that your argument of --cacert cert.pem might not be intended to provide the trusted root certificate, but instead the client certificate expected by the server. But for this --cert and --key should be used.

+ 1
Guy avatar
km flag
Guy
Perfect. Indeed with --cert instead of --cacert, it's working. Thanks!
0
Reply
Score:0
tsc_chazz avatar Server
vn flag
tsc_chazz

TLS Alert, unknown CA means that the certificate authority, the one who issued the certificate, is not known as an authority on the Almalinux machine. This is nothing to do with the distros being different. The issue is simply that whoever issued the certificate is known and authoritative on the Ubuntu machine, and not accepted as authoritative on the Almalinux machine. Perhaps the thing to do is find a different CA, one that the Almalinux machine knows and trusts.

+ 1
Guy avatar
km flag
Guy
How do I make the certificate authority known to Almalinux?
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.