Curl fail to retrieve HTTPS content

0xBAADF00D asked:

i’ve an issue on my production server running on Debian 6 (apt-get update;apt-get upgrade done with success).

When I call an HTTPS (StartSSL) server I got an error message on Debian 6 :

#> curl --version
curl 7.21.0 (x86_64-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/ libidn/1.15 libssh2/1.2.6
Protocols: dict file ftp ftps http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz

#> curl
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here:

But when I call the same address on Debian 7 (server is up-to-date too), everything working well :

#> curl --version
curl 7.26.0 (x86_64-pc-linux-gnu) libcurl/7.26.0 OpenSSL/1.0.1e zlib/1.2.7 libidn/1.25 libssh2/1.4.2 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap pop3 pop3s rtmp rtsp scp sftp smtp smtps telnet tftp
Features: Debug GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP

#> curl
{'code':'ko', 'message':'ERR_AUTH_BASIC_NEEDED'}

Do you have any idea why HTTPS fail on Curl Debian 6 and works with Debian 7 curl ?

My answer:

It’s not curl that’s outdated, but the bundle of root CA certificates that the system uses. The valid certificates can change over time as CAs start up, go out of business, or their certificates expire or get revoked or renewed.

In debian, these are in the ca-certificates package. For squeeze, this doesn’t seem to have been updated in several years. Only wheezy and newer appear to be anywhere near current. Distributions should be updating these throughout the supported life of the distribution, but Debian doesn’t seem to be doing this.

You ought to be able to backport it yourself using the source package (don’t attempt to use the binary packages; their dependencies are updated as well, and breakage will ensue).

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.