Recentemente comecei a ter problemas ao usar o curl com SSL (dá erro cert). Pacotes estão atualizados. Tentei fazer "update-ca-certificates --fresh" sem sucesso.
# curl https://github.com/
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
# ls -l /etc/ssl/certs/ca-certificates.crt
-rw-r--r-- 1 root root 233394 may 3 14:20 /etc/ssl/certs/ca-certificates.crt
# apt-get install ca-certificates
Reading package lists... Done
Building dependency tree
Reading state information... Done
ca-certificates is already the newest version (20170717~16.04.1).
0 upgraded, 0 newly installed, 0 to remove and 30 not upgraded.
# sudo update-ca-certificates --fresh
Clearing symlinks in /etc/ssl/certs...
done.
Updating certificates in /etc/ssl/certs...
148 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
updates of cacerts keystore disabled.
Updating Mono key store
Linux Cert Store Sync - version 4.2.1.0
Synchronize local certs with certs from local Linux trust store.
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.
I already trust 149, your new list has 148
Import process completed.
Done
done.
# curl https://github.com/
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
# ls -l /etc/ssl/certs/ | wc -l
452
$ ls -l /etc/ssl/certs/ | head
total 708
lrwxrwxrwx 1 root root 26 may 3 14:30 00673b5b.0 -> thawte_Primary_Root_CA.pem
lrwxrwxrwx 1 root root 45 may 3 14:30 02265526.0 -> Entrust_Root_Certification_Authority_-_G2.pem
lrwxrwxrwx 1 root root 23 may 3 14:30 02756ea4.0 -> Certplus_Root_CA_G1.pem
lrwxrwxrwx 1 root root 31 may 3 14:30 02b73561.0 -> Comodo_Secure_Services_root.pem
lrwxrwxrwx 1 root root 36 may 3 14:30 03179a64.0 -> Staat_der_Nederlanden_EV_Root_CA.pem
lrwxrwxrwx 1 root root 25 may 3 14:30 034868d6.0 -> Swisscom_Root_EV_CA_2.pem
lrwxrwxrwx 1 root root 41 may 3 14:30 04f60c28.0 -> USERTrust_ECC_Certification_Authority.pem
lrwxrwxrwx 1 root root 40 may 3 14:30 052e396b.0 -> AddTrust_Qualified_Certificates_Root.pem
lrwxrwxrwx 1 root root 27 may 3 14:30 062cdee6.0 -> GlobalSign_Root_CA_-_R3.pe
Isso acontece com a maioria dos sites, mas nem todos
$ curl https://yahoo.com
redirect$
$ curl https://google.com
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
Versões de tudo:
$ curl --version
curl 7.47.0 (x86_64-pc-linux-gnu) libcurl/7.47.0 GnuTLS/3.4.10 zlib/1.2.8 libidn/1.32 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP UnixSockets
$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.4 LTS"
$ openssl version
OpenSSL 1.0.2g 1 Mar 2016