Discussion:
Using curl behind a proxy: unable to get local issuer certificate
杜秀涛 via curl-users
2018-01-27 03:40:50 UTC
Permalink
I want to visit https://pypi.io, in a linux server. I have set environment
variable HTTP_PROXY and HTTPS_PROXY, when I issued this command:
*% curl -LO
https://pypi.io/packages/source/v/virtualenv/virtualenv-15.0.2.tar.gz
<https://pypi.io/packages/source/v/virtualenv/virtualenv-15.0.2.tar.gz>*
I got this error: *unable to get local issuer certificate*

When I was trying to solve the problem, I found that, the certificate my
browser and the openssl showcerts command shows different while they were
using the same proxy.

In my browser, I got certificates like this:

*FIRST: MY_COMPANY Root Ca*
*SECOND: pypi.org <http://pypi.org>*

but in the command I issued below,
*% proxytunnel -p $HTTPS_PROXY -d pypi.io:443 <http://pypi.io:443> -a 7000*
*% openssl s_client -connect localhost:7000 -showcerts*
I got these two
FIRST:
0 s:/businessCategory=Private
Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=3359300/street=16
Allen Rd/postalCode=03894-4801/C=US/ST=New Hampshire/L=Wolfeboro/O=Python
Software Foundation/CN=www.python.org
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended
Validation Server CA
SECOND:
1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended
Validation Server CA
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV
Root CA

I want to know why,

*=================================================================*
full messages as below:

CONNECTED(00000003)
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2
Extended Validation Server CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/businessCategory=Private
Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=3359300/street=16
Allen Rd/postalCode=03894-4801/C=US/ST=New Hampshire/L=Wolfeboro/O=Python
Software Foundation/CN=www.python.org
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended
Validation Server CA
-----BEGIN CERTIFICATE-----
*---- keys skiped ----*
*-----END CERTIFICATE-----*

* 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert
<http://www.digicert.com/CN=DigiCert> SHA2 Extended Validation Server CA
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert
<http://www.digicert.com/CN=DigiCert> High Assurance EV Root CA -----BEGIN
CERTIFICATE--------- keys skiped ---------END CERTIFICATE--------Server
certificatesubject=/businessCategory=Private
Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=3359300/street=16
Allen Rd/postalCode=03894-4801/C=US/ST=New Hampshire/L=Wolfeboro/O=Python
Software Foundation/CN=www.python.org
<http://www.python.org>issuer=/C=US/O=DigiCert
Inc/OU=www.digicert.com/CN=DigiCert <http://www.digicert.com/CN=DigiCert>
SHA2 Extended Validation Server CA---No client certificate CA names
sent---SSL handshake has read 4164 bytes and written 421 bytes---New,
TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256Server public key is 2048
bitSecure Renegotiation IS supportedCompression: NONEExpansion:
NONESSL-Session:---messages skiped--- *
杜秀涛 via curl-users
2018-01-27 03:43:25 UTC
Permalink
by the way, my browser didn't panic anything while trying to visit the
pypi.org:443
Post by 杜秀涛 via curl-users
I want to visit https://pypi.io, in a linux server. I have set
environment variable HTTP_PROXY and HTTPS_PROXY, when I issued this
*% curl -LO
https://pypi.io/packages/source/v/virtualenv/virtualenv-15.0.2.tar.gz
<https://pypi.io/packages/source/v/virtualenv/virtualenv-15.0.2.tar.gz>*
I got this error: *unable to get local issuer certificate*
When I was trying to solve the problem, I found that, the certificate my
browser and the openssl showcerts command shows different while they were
using the same proxy.
*FIRST: MY_COMPANY Root Ca*
*SECOND: pypi.org <http://pypi.org>*
but in the command I issued below,
*% proxytunnel -p $HTTPS_PROXY -d pypi.io:443 <http://pypi.io:443> -a 7000*
*% openssl s_client -connect localhost:7000 -showcerts*
I got these two
0 s:/businessCategory=Private Organization/1.3.6.1.4.1.311.
60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=3359300/street=16
Allen Rd/postalCode=03894-4801/C=US/ST=New Hampshire/L=Wolfeboro/O=Python
Software Foundation/CN=www.python.org
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended
Validation Server CA
1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended
Validation Server CA
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance
EV Root CA
I want to know why,
*=================================================================*
CONNECTED(00000003)
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
SHA2 Extended Validation Server CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/businessCategory=Private Organization/1.3.6.1.4.1.311.
60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=3359300/street=16
Allen Rd/postalCode=03894-4801/C=US/ST=New Hampshire/L=Wolfeboro/O=Python
Software Foundation/CN=www.python.org
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended
Validation Server CA
-----BEGIN CERTIFICATE-----
*---- keys skiped ----*
*-----END CERTIFICATE-----*
* 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert
<http://www.digicert.com/CN=DigiCert> SHA2 Extended Validation Server CA
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert
<http://www.digicert.com/CN=DigiCert> High Assurance EV Root CA -----BEGIN
CERTIFICATE--------- keys skiped ---------END CERTIFICATE--------Server
certificatesubject=/businessCategory=Private
Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=3359300/street=16
Allen Rd/postalCode=03894-4801/C=US/ST=New Hampshire/L=Wolfeboro/O=Python
Software Foundation/CN=www.python.org
<http://www.python.org>issuer=/C=US/O=DigiCert
Inc/OU=www.digicert.com/CN=DigiCert <http://www.digicert.com/CN=DigiCert>
SHA2 Extended Validation Server CA---No client certificate CA names
sent---SSL handshake has read 4164 bytes and written 421 bytes---New,
TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256Server public key is 2048
NONESSL-Session:---messages skiped--- *
Daniel Stenberg
2018-01-29 09:53:08 UTC
Permalink
Post by 杜秀涛 via curl-users
I want to visit https://pypi.io, in a linux server. I have set environment
*% curl -LO
https://pypi.io/packages/source/v/virtualenv/virtualenv-15.0.2.tar.gz
<https://pypi.io/packages/source/v/virtualenv/virtualenv-15.0.2.tar.gz>*
I got this error: *unable to get local issuer certificate*
This error is usually what you get when the server doesn't send you the full
set of certificates. Usually there's a missing intermediate certificate.

Athough in this case, I can curl this site just fine so I would perhaps rather
suspect that your CA store is incomplete / out-of-date?
Post by 杜秀涛 via curl-users
When I was trying to solve the problem, I found that, the certificate my
browser and the openssl showcerts command shows different while they were
using the same proxy.
*FIRST: MY_COMPANY Root Ca*
*SECOND: pypi.org <http://pypi.org>*
Having your company accepted in the browser's CA store is a sign that you're
using a MITM proxy and your traffic is intercepted and inspected. That is
intself not a reason for an error, but perhaps you don't have your company's
CA cert in your CA store for your curl command?
Post by 杜秀涛 via curl-users
I want to know why,
I don't know! It's not a common scenario...
--
/ daniel.haxx.se
Ray Satiro
2018-01-30 21:32:31 UTC
Permalink
Post by Daniel Stenberg
Post by 杜秀涛 via curl-users
I want to visit https://pypi.io, in a linux server. I have set environment
*% curl -LO
https://pypi.io/packages/source/v/virtualenv/virtualenv-15.0.2.tar.gz
<https://pypi.io/packages/source/v/virtualenv/virtualenv-15.0.2.tar.gz>*
I got this error: *unable to get local issuer certificate*
This error is usually what you get when the server doesn't send you
the full set of certificates. Usually there's a missing intermediate
certificate.
Athough in this case, I can curl this site just fine so I would
perhaps rather suspect that your CA store is incomplete / out-of-date?
Post by 杜秀涛 via curl-users
When I was trying to solve the problem, I found that, the certificate
my browser and the openssl showcerts command shows different while
they were using the same proxy.
*FIRST: MY_COMPANY Root Ca*
*SECOND: pypi.org <http://pypi.org>*
Having your company accepted in the browser's CA store is a sign that
you're using a MITM proxy and your traffic is intercepted and
inspected. That is intself not a reason for an error, but perhaps you
don't have your company's CA cert in your CA store for your curl command?
Post by 杜秀涛 via curl-users
I want to know why,
I don't know! It's not a common scenario...
I agree. Run curl with -v and check the server certificate and issuer.
Also check the CA certificate locations which are shown in this format:

* successfully set certificate verify locations:
*   CAfile: /foo/bar
  CApath: none

Loading...