No Ubuntu 13.10 executando o sistema curl:
curl --version
curl 7.32.0 (x86_64-pc-linux-gnu) libcurl/7.32.0 OpenSSL/1.0.1e zlib/1.2.8 libidn/1.28 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP
Estou recebendo um erro de SSL ao tentar se conectar a https://blog.pinboard.in .
curl -v https://blog.pinboard.in/
* Adding handle: conn: 0x1365a00
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x1365a00) send_pipe: 1, recv_pipe: 0
* About to connect() to blog.pinboard.in port 443 (#0)
* Trying 67.23.8.22...
* Connected to blog.pinboard.in (67.23.8.22) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
Usando o curl 7.30.0 no Mac OS 10.9, não há erro SSL:
curl -v https://blog.pinboard.in
* Adding handle: conn: 0x7fbe79003a00
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7fbe79003a00) send_pipe: 1, recv_pipe: 0
* About to connect() to blog.pinboard.in port 443 (#0)
* Trying 67.23.8.22...
* Connected to blog.pinboard.in (67.23.8.22) port 443 (#0)
* TLS 1.0 connection using TLS_RSA_WITH_AES_128_CBC_SHA
* Server certificate: *.pinboard.in
* Server certificate: Gandi Standard SSL CA
* Server certificate: UTN-USERFirst-Hardware
> HEAD / HTTP/1.1
> User-Agent: curl/7.30.0
> Host: blog.pinboard.in
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Mon, 24 Mar 2014 00:52:00 GMT
Date: Mon, 24 Mar 2014 00:52:00 GMT
* Server Apache/2.2.9 (Debian) mod_fastcgi/2.4.6 PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8o is not blacklisted
< Server: Apache/2.2.9 (Debian) mod_fastcgi/2.4.6 PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8o
Server: Apache/2.2.9 (Debian) mod_fastcgi/2.4.6 PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8o
< Last-Modified: Wed, 19 Mar 2014 16:38:20 GMT
Last-Modified: Wed, 19 Mar 2014 16:38:20 GMT
< ETag: "21c05e-e006-4f4f847c4f700"
ETag: "21c05e-e006-4f4f847c4f700"
< Accept-Ranges: bytes
Accept-Ranges: bytes
< Content-Length: 57350
Content-Length: 57350
< Vary: Accept-Encoding
Vary: Accept-Encoding
< Content-Type: text/html; charset=utf8
Content-Type: text/html; charset=utf8
<
* Connection #0 to host blog.pinboard.in left intact
Também não há erro SSL ao tentar visitar a página em um navegador. Os resultados do Qualys SSL Labs dizem que a cadeia está incompleta Eu acho que navegadores e Apple curl podem contornar esse problema.
Existe alguma maneira de fazer com que o Ubuntu se conecte sem desabilitar o SSL com -k ou fazer download de certificados manualmente?