moparisthebest/curl
1
0
Fork 0
mirror of https://github.com/moparisthebest/curl synced 2025-01-10 21:48:10 -05:00
Code Issues Releases Wiki Activity

FAQ: refresh "Why do I get "certificate verify failed"

Browse Source 
Add more details, remove references to ancient curl version.
This commit is contained in:
Daniel Stenberg 2020-11-06 09:16:06 +01:00
parent ee644bc8b3
commit 3864ad37e1
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
1 changed files with 22 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
docs/FAQ
View File

@ -913,27 +913,32 @@ FAQ
4.12 Why do I get "certificate verify failed" ? 4.12 Why do I get "certificate verify failed" ?
You invoke curl 7.10 or later to communicate on a https:// URL and get an When you invoke curl and get an error 60 error back it means that curl
error back looking something similar to this: couldn't verify that the server's certificate was good. curl verifies the
certificate using the CA cert bundle and verifying for which names the
certficiate has been granted.
curl: (35) SSL: error:14090086:SSL routines: To completely disable the certficiate verification, use -k. This does
SSL3_GET_SERVER_CERTIFICATE:certificate verify failed however enable man-in-the-middle attacks and makes the transfer INSECURE.
We strongly advice against doing this for more than experiments.
Then it means that curl couldn't verify that the server's certificate was If you get this failure with a CA cert bundle installed and used, the
good. curl verifies the certificate using the CA cert bundle that comes with server's certificate might not be signed by one of the CA's in yout CA
the curl installation. store. It might for example be self-signed. You then correct this problem by
obtaining a valid CA cert for the server. Or again, decrease the security by
disabling this check.
To disable the verification (which makes it act like curl did before 7.10), At times, you find that the verification works in your favorite browser but
use -k. This does however enable man-in-the-middle attacks. fails in curl. When this happens, the reason is usually that the server
sends an incomplete cert chain. The server is mandated to send all
"intermediate certificates" but doesn't. This typically works with browsers
anyway since they A) cache such certs and B) supports AIA which downloads
such missing certificates on demand. This is a server misconfiguration. A
good way to figure out if this is the case it to use the SSL Labs server
test and check the certificate chain: https://www.ssllabs.com/ssltest/
If you get this failure but are having a CA cert bundle installed and used, Details are also in the SSLCERTS.md document, found online here:
the server's certificate is not signed by one of the CA's in the bundle. It https://curl.se/docs/sslcerts.html
might for example be self-signed. You then correct this problem by obtaining
a valid CA cert for the server. Or again, decrease the security by disabling
this check.
Details are also in the SSLCERTS file in the release archives, found online
here: https://curl.se/docs/sslcerts.html
4.13 Why is curl -R on Windows one hour off? 4.13 Why is curl -R on Windows one hour off?