Certificate verification errors when using curl

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.forpilots.com

I ran this command: curl https://www.forpilots.com

It produced this output:
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a “bundle”
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn’t adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you’d like to turn off curl’s verification of the certificate, use
the -k (or --insecure) option.

My web server is (include version): Apache/2.2.15

The operating system my web server runs on is (include version): Centos 6.7

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.39.0

Notes: The https:// url works fine when using a windows browser, but experiences the verification issue only when using curl under linux (specifically, from Ubuntu-16.04)

1 Like

You are not sending a full certificate chain from your webserver. This will have mixed results in different browser/OS combos, as you have observed.

Since you are using Apache 2.2, you will want to do something like:

SSLCertificateChainFile /etc/letsencrypt/live/forpilots.com/chain.pem

and restarting Apache. The exact subdirectory inside live/ may be slightly different based on how your certificate is named.


Thanks, that worked perfectly!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.