So I'm having a problem with my certificates. They work properly in Firefox, but not via the command-line tool 'curl'. Exposition follows.
Some background: I have my own Certificate Authority. It's called Static Magic and you can see its certificates at https://ssl.staticmagic.net/ssl/.
Of particular note is the Certificate Authority certificate, staticmagic.crt.
I have imported the Static Magic Certificate Authority certificate into my Firefox browser, and it works as it should.
So because I have my own trusted certificate authority, I can issue my own certificates. And because I don't need to do domain or identity verification I have been able to issue a certificate with a Subject Alternative Name using the DNS name 'localhost'. This allows me to serve files from my local machine at https://localhost/.
So serving files from 'localhost' isn't super important, and if I can't figure out this issue I will just revert to using certificates issued by Let's Encrypt.
I'm annoyed though, because this used to work, but it doesn't work anymore after I repaved my machine. There must be some little configuration switch that I'm not finding...
I created some text files with the server certificate and the certificate authority certificate details like this:
root@tact:/home/jj5/desktop/cert-issue# openssl x509 -in /root/cert/host/crt.pem -noout -text > crt.txt root@tact:/home/jj5/desktop/cert-issue# cat /root/cert/host/crt.pem >> crt.txt root@tact:/home/jj5/desktop/cert-issue# openssl x509 -in /usr/local/share/ca-certificates/staticmagic.crt -noout -text > ca.txt root@tact:/home/jj5/desktop/cert-issue# cat /usr/local/share/ca-certificates/staticmagic.crt >> ca.txt
The created files are here and here, or you can see them in the iframes below.
My Firefox web browser is configured to trust my certificate authority, and that's working, as you can see here:
But I can't get 'curl' to work. It fails like this:
jj5@tact:~/desktop/experiment$ curl https://localhost/robots.txt curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: https://curl.haxx.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.
I'm not sure why curl won't accept the certificate, it seems to be properly registered in the system:
jj5@tact:/etc/ssl/certs$ ll | grep static lrwxrwxrwx 1 root root 15 Aug 1 17:18 794cb6e2.0 -> staticmagic.pem lrwxrwxrwx 1 root root 48 Aug 1 17:18 staticmagic.pem -> /usr/local/share/ca-certificates/staticmagic.crt
Any help greatly appreciated!