So since the Mavericks upgrade curl has more issues with certificates.
When trying to curl a file from my web server with it's self-signed certificate it was getting the error "SSL Certificate: Invalid certificate chain".
This was corrected by adding the certificate to my system keychain and setting it to always allow SSL, information I found here and here.
This works fine and when I curl a file it downloads properly.
However if I run curl with sudo before (e.g I have a script which needs to be run with sudo and does a curl in it) then I'm back to the same error message.
I'm guessing that root doesn't read from the system keychain perhaps?
Does anyone know a way to fix this?
asked Feb 21, 2014 at 16:36
Jacob TomlinsonJacob Tomlinson
2551 gold badge2 silver badges13 bronze badges
f you store your CA certificates on the filesystem (in PEM format) you can tell curl to use them with
sudo curl --cacert /path/to/cacert.pem ...You can also turn off the certificate verification with
sudo curl --insecure ...Edit: Updated with regard to feedback
If you want to set this permanently, you should create a .curlrc files and place in your home directory. sudo commands may need this file in /var/root The file takes the same options as the command line but without the dashes. One option per line:
answered Feb 28, 2014 at 11:46
4
Root doesn't read from the current user trust settings, but there are both an admin trust settings and root-user-specific trust settings. (These are also distinct from the system trust settings.) Note, also, that certificate trust settings are somewhat distinct from just adding a certificate to a keychain; you can mark a cert as trusted without fully adding it. (The exact situation here is not clear to me, and the docs I've seen are vague.)
You can mark a cert as trusted for your current user as
$ security add-trusted-cert /path/to/cert.pembut that doesn't help with root. The solution, as you might now guess, is either to sudo the above, which then marks it as trusted for the root user specifically:
$ sudo security add-trusted-cert /path/to/cert.pemor to use the -d flag to add it to the admin trust settings:
$ security add-trusted-cert -d /path/to/cert.pem(OS X will pop up a password dialog to confirm this one.)
Either of the latter two seems to be sufficient for sudo curl.
Reference: //developer.apple.com/library/mac/Documentation/Darwin/Reference/ManPages/man1/security.1.html
answered Mar 2, 2014 at 1:38
Wes CampaigneWes Campaigne
2,2801 gold badge18 silver badges11 bronze badges
3
This is really in the output hint:
echo insecure >> ~/.curlrcAdvantage of using above solution is that it works for all curl commands, but it is not recommended since it may introduce MITM attacks by connecting to insecure and untrusted hosts.
kenorb
11.9k15 gold badges79 silver badges136 bronze badges
answered Sep 19, 2014 at 4:35
zinkingzinking
1591 silver badge3 bronze badges
If you use MacPorts (and the 3rd-party script you mentioned doesn't remove it from $PATH or calls /usr/bin/curl) you can install the certsync and curl ports in this order.
certsync is a tool and a corresponding launchd plist that will export your system keychain to $prefix/etc/openssl/cert.pem and install a symlink $prefix/share/curl/curl-ca-bundle.crt -> $prefix/etc/openssl/cert.pem so MacPorts curl will automatically pick up the certificates. certsync will also automatically update the generated files when you change your system keychain.
answered Mar 4, 2014 at 1:14
neverpanicneverpanic
8365 silver badges10 bronze badges
1
To make sudo curl work (on OSX Sierra), we had to import the certificate into the System.keychain and trust it there. This could be done manually in the Keychain app or using this command:
sudo security add-trusted-cert -d -k /Library/Keychains/System.keychain /path/to/cert.pemIt was important to both specify -d and manually set the path to the System keychain via -k to make sure the cert actually gets imported there if it isn't yet.
The command works without sudo, but then would ask for the password via a UI dialog, which might be a hurdle for scripts.
answered Nov 30, 2016 at 0:55
2