Description of problem: Curl uses only CAfile /etc/pki/tls/certs/ca-bundle.crt as source for trusted root certificates. This is different how OpenSSL-library handles root certificates. This results in adding a new custom CA-root being non-feasible. The only possibility is by directly modifying ca-bundle.crt file belonging to package ca-certificates. ca-bundle.crt is likely to be updated losing any custom changes resulting tedious manual changes. At the same time OpenSSL fully supports adding custom certificates, its just curl not supporting them. Version-Release number of selected component (if applicable): 7.65.3-3.fc31 How reproducible: Easily, add custom CA-certificate into OpenSSL and observe it not being used by Curl. Steps to Reproduce: 1. Add new PEM-certificate into /etc/pki/tls/certs/ 2. Run openssl rehash 3. Access a site with curl requiring that newly added certificate Actual results: A failure "curl: (60) SSL certificate problem: unable to get local issuer certificate" Expected results: A successful HTTPS-connection with trusted certificate Additional info: Adding --with-ca-path into build would solve the issue. A patch to alter the spec-file: --- curl.spec-f31.original 2019-08-01 17:44:12.000000000 +0300 +++ curl.spec 2019-08-07 23:24:23.618499341 +0300 @@ -220,7 +220,9 @@ --enable-threaded-resolver \ --with-gssapi \ --with-nghttp2 \ - --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt" + --with-ssl \ + --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt \ + --with-ca-path=%{_sysconfdir}/pki/tls/certs/" %global _configure ../configure
See https://docs.fedoraproject.org/en-US/quick-docs/using-shared-system-certificates/ to learn how to add a new custom CA-root system-wide. The advantage of this approach is that it takes effect on the whole system, not just OpenSSL-based apps.
Yeah, running: trust anchor --store letsencryptauthorityx3.pem.txt seems to do the trick.
Perfect. Thanks for confirmation!