Bug 1738681 - Curl not using CA-path - custom certificates not used
Summary: Curl not using CA-path - custom certificates not used
Alias: None
Product: Fedora
Classification: Fedora
Component: curl
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Kamil Dudka
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2019-08-07 20:39 UTC by Jari Turkia
Modified: 2019-08-08 13:09 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-08-08 13:09:29 UTC
Type: Bug

Attachments (Terms of Use)

Description Jari Turkia 2019-08-07 20:39:52 UTC
Description of problem:
Curl uses only CAfile /etc/pki/tls/certs/ca-bundle.crt as source for trusted root certificates. This is different how OpenSSL-library handles root certificates. This results in adding a new custom CA-root being non-feasible. 

The only possibility is by directly modifying ca-bundle.crt file belonging to package ca-certificates. ca-bundle.crt is likely to be updated losing any custom changes resulting tedious manual changes. At the same time OpenSSL fully supports adding custom certificates, its just curl not supporting them.

Version-Release number of selected component (if applicable):

How reproducible:
Easily, add custom CA-certificate into OpenSSL and observe it not being used by Curl.

Steps to Reproduce:
1. Add new PEM-certificate into /etc/pki/tls/certs/
2. Run openssl rehash
3. Access a site with curl requiring that newly added certificate

Actual results:
A failure "curl: (60) SSL certificate problem: unable to get local issuer certificate"

Expected results:
A successful HTTPS-connection with trusted certificate

Additional info:
Adding --with-ca-path into build would solve the issue.

A patch to alter the spec-file:
--- curl.spec-f31.original      2019-08-01 17:44:12.000000000 +0300
+++ curl.spec   2019-08-07 23:24:23.618499341 +0300
@@ -220,7 +220,9 @@
     --enable-threaded-resolver \
     --with-gssapi \
     --with-nghttp2 \
-    --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt"
+    --with-ssl \
+    --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt \
+    --with-ca-path=%{_sysconfdir}/pki/tls/certs/"

 %global _configure ../configure

Comment 1 Kamil Dudka 2019-08-08 10:10:11 UTC
See https://docs.fedoraproject.org/en-US/quick-docs/using-shared-system-certificates/ to learn how to add a new custom CA-root system-wide.  The advantage of this approach is that it takes effect on the whole system, not just OpenSSL-based apps.

Comment 2 Jari Turkia 2019-08-08 12:53:13 UTC
Yeah, running:
trust anchor --store letsencryptauthorityx3.pem.txt

seems to do the trick.

Comment 3 Kamil Dudka 2019-08-08 13:09:29 UTC
Perfect.  Thanks for confirmation!

Note You need to log in before you can comment on or make changes to this bug.