How to Fix CA Certificate Verification in cURL on Ubuntu 10.04: Global Solution for SSL/TLS Issues


2 views

After upgrading from Ubuntu 8.04 to 10.04, many developers encounter SSL certificate verification failures in cURL. The core issue stems from the missing CA certificate bundle that cURL uses to verify server certificates against trusted Certificate Authorities.

The specific error you're seeing:

CURL error: SSL certificate problem, verify that the CA cert is OK.
Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:
certificate verify failed

indicates that cURL cannot find a proper CA bundle to validate the remote server's SSL certificate.

The most proper way to fix this system-wide is to install the ca-certificates package:

sudo apt-get update
sudo apt-get install ca-certificates

This package contains Mozilla's CA certificate store, which is regularly updated and maintained by the Ubuntu security team.

If you need to manually specify the CA bundle path, you can do it in several ways:

1. Environment Variable

export CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt

Add this to your ~/.bashrc or /etc/environment for persistence.

2. cURL Configuration File

Create or modify ~/.curlrc with:

cacert = /etc/ssl/certs/ca-certificates.crt

Test your configuration with:

curl -v https://www.google.com

You should see successful SSL handshake without certificate warnings.

For PHP applications using cURL, you might need to additionally set:

<?php
curl_setopt($ch, CURLOPT_CAINFO, '/etc/ssl/certs/ca-certificates.crt');
?>

Or in the php.ini file:

curl.cainfo = "/etc/ssl/certs/ca-certificates.crt"

Remember to periodically update your CA certificates:

sudo update-ca-certificates

This command refreshes the certificate store and creates symlinks in /etc/ssl/certs.

When upgrading from Ubuntu 8.04 to 10.04, many developers encounter SSL verification issues with CURL due to missing CA certificates. The core error manifests as:

CURL error: SSL certificate problem, verify that the CA cert is OK.
Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:
certificate verify failed

The most robust solution is installing the ca-certificates package:

sudo apt-get update
sudo apt-get install ca-certificates
sudo update-ca-certificates --fresh

After installation, check the default certificate bundle location:

curl --version | grep "SSL"

This should show something like:

SSL: OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15

Create or modify the curl configuration file:

sudo nano /etc/curl/curlrc

Add this line:

cacert = /etc/ssl/certs/ca-certificates.crt

For PHP applications, modify php.ini:

sudo nano /etc/php5/apache2/php.ini

Add or modify:

curl.cainfo = "/etc/ssl/certs/ca-certificates.crt"

Create a test script:

<?php
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://www.google.com");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
if(curl_errno($ch)) {
    echo 'CURL error: ' . curl_error($ch);
} else {
    echo "Connection successful!";
}
curl_close($ch);
?>

If you need to specify a custom CA bundle path in your code:

curl_setopt($ch, CURLOPT_CAINFO, "/path/to/custom/cacert.pem");

Or for command-line CURL:

curl --cacert /path/to/custom/cacert.pem https://example.com

For applications that can't be modified, set the environment variable:

export CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt

Add this to your ~/.bashrc or /etc/environment for persistence.