curl certificates being refused, possible filepath issue

JDska55 · 06-15-2009, 10:50 AM

Hey all-
I've been doing some scripting involving Amazon's EC2 platform on a virtual machine, and my boss wants me to move things over to an actual networked machine in our lab. I got all of the tools and files I was using moved over, but any time I try to use a tool that needs the certificates, I get flatly denied like so:

Code:

$ ec2din #decsribes running instances on amazon's servers
curl: (60) SSL certificate problem. Verify that the CA is OK. Details: 
error:14090086: SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
#etc etc

$ curl -v https://www.amazonaws.com
* About to connect to 207.171.166.22... connection refused
* couldn't connect to host
* closing connection #0
* curl (7) couldn't connect to host

Sorry if that's a little verbose. I know the certificate works fine, it is a direct copy of the one that is running on my virtual machine. I think that curl may be looking in the wrong place. Any ideas on why curl is misbehaving? I even made the admin add the public part of the certificate to /etc/ssl/certs, but it still didn't work. Please help!!

Thanks,
Jarrod

grepmasterd · 06-15-2009, 11:43 AM

"connection refused" means you can't connect on that port (443). so that's not a valid test.

I don't know much about amazon's cloud service tools, but you may need more than just the server cert. you may also need the CA cert. This agrees with your error message: "certificate verify failed" typically means that the server cert could not be verified because it couldn't find the right signing authority.

JDska55 · 07-13-2009, 12:25 PM

Hey guys-
I still don't have this problem resolved. I figured out that the system I'm on has almost no certificates on it for some reason. I need to know what cert curl is trying to find when it's called and gets refused. Is there a way to make curl tell me what certificate it's looking for? If I can get the name of it I can find a copy and have my admin install it on the system. Any help would be HUGELY appreciated

Cheers,
Jarrod

grepmasterd · 07-13-2009, 07:18 PM

Your test with curl is not really valid against the amazonaws site. Use curl against a known https site:

Code:

curl -v https://www.paypal.com/

If you just want to see what certificate the server is offering:

Code:

openssl s_client -connect www.paypal.com:443
openssl s_client -connect www.amazonaws.com:$PORT

where $PORT is that which is used by the ec2din tool.

If you're trying to figure out where certs are stored on you local system , then that depends on what OS/distro you are using. curl uses the openssl library, and can be found on debian-based systems under /etc/ssl/certs (which should be a symlink to /usr/share/ca-certificates/mozilla)

hope that helps