On Mon, Jan 11, 2021 at 3:25 AM Ray Satiro via curl-library <curl-library@cool.haxx.se> wrote: > > On 1/11/2021 2:48 AM, Jeffrey Walton via curl-library wrote: > > On Mon, Jan 11, 2021 at 2:35 AM Daniel Stenberg <dan...@haxx.se> wrote: > > On Mon, 11 Jan 2021, Jeffrey Walton via curl-library wrote: > > $ lsb_release -a > Distributor ID: Ubuntu > Description: Ubuntu 20.04.1 LTS > Release: 20.04 > Codename: focal > > $ command -v wget > /usr/bin/wget > > $ wget -O cacert.pem 'https://curl.haxx.se/ca/cacert.pem' > Unable to locally verify the issuer's authority. > > The cert is used by Fastly for a vast amount of servers so you'll likely to > have widespread issues when it doesn't work. > > When I visit cURL's site in a browser, the CA used is Let's Encrypt > (and not GlobalSign). > > Finally: that URL is the old one anyway, get the bundle from the current URL > and you'll see that it is signed by anoter cert: https://curl.se/ca/cacert.pem > > OK, thanks. This did not help. > > I tested the same on Ubuntu 18.04 with the shipped curl version there and it > works fine. > > Yeah, I updated from 18.04 to 20.04 last week. 18.04 did not have > troubles. I think today is the first time I ran the script under > 20.02. > > I can give you remote access if you are interested in duplicating it. > I need your authorized_keys. > > I'm using 16 LTS and I can't reproduce either. Try openssl > > owner@ubuntu1604-x64-vm:~$ debsums ca-certificates | grep -i globalsign > /usr/share/ca-certificates/mozilla/GlobalSign_ECC_Root_CA_-_R4.crt > OK > /usr/share/ca-certificates/mozilla/GlobalSign_ECC_Root_CA_-_R5.crt > OK > /usr/share/ca-certificates/mozilla/GlobalSign_Root_CA.crt > OK > /usr/share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R2.crt > OK > /usr/share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R3.crt > OK > /usr/share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R6.crt > OK > > owner@ubuntu1604-x64-vm:~$ SSL_CERT_DIR="" openssl s_client -connect > curl.haxx.se:443 -servername curl.haxx.se -CAfile > /usr/share/ca-certificates/mozilla/GlobalSign_Root_CA_-_R3.crt < /dev/null | > grep "Verify return code" > depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign > verify return:1 > depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Atlas R3 DV TLS CA 2020 > verify return:1 > depth=0 CN = *.haxx.se > verify return:1 > DONE > Verify return code: 0 (ok)
OK, so it looks like something was sideways on my Focal system. I'm guessing it was promiscuous linking. /usr/bin/wget was being runtime linked with something I built and installed in /usr/local/lib, and that caused the problem for curl.se (other sites were OK). Jeff ------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html
