4

when using curl in verbose mode, I get this error: Command:

$ curl -vvI https://www.google.com

Error:

  • successfully set certificate verify locations:
  • CAfile: none CApath: /etc/ssl/certs
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
  • TLSv1.3 (IN), TLS handshake, Certificate (11):
  • TLSv1.3 (OUT), TLS alert, unknown CA (560):
  • SSL certificate problem: unable to get local issuer certificate
  • Closing connection 0

But if I send the same command with sudo, the connection is setup successfully, so I guess it's a permission issue.

This is what I get with namei command:

$ namei -mo /etc/ssl/certs/ca-certificates.crt

f: /etc/ssl/certs/ca-certificates.crt
drwxr-xr-x root root /
drwxr-xr-x root root etc
drwxr-xr-x root root ssl
drw-r--r-- root root certs
                     ca-certificates.crt - Permission denied

So I issued this command:

$ sudo chmod 755 /etc/ssl/certs/ca-certificates.crt

That was executed without errors, but the output of namei command is the same.

Same thing with /etc/ssl/certs/certificate.crt

Finally, if I send this command:

$ sudo ls -l /etc/ssl/certs/ca-certificates.crt

I get:

-rwxr-xr-x 1 root root 218664 lug 19 18:51 /etc/ssl/certs/ca-certificates.crt
perissf
  • 161

3 Answers3

3

You can't access files in the /etc/ssl/certs directory because it is missing search permission (x). You may fix that with chmod, e.g.: chmod a+x /etc/ssl/certs

Michael Hampton
  • 252,907
0

As you have seen, you can't access ca-certificates.crt. The curl command tries to access the certificate bundle with your user, but fails. You can fix this by using chmod. 755 may be used in this case, as certificate bundles are not sensitive files.

A. Darwin
  • 632
0

when i see But if I send the same command with sudo, the connection is setup successfully, i think it`s the same issue. check more with the link.

rm "$(brew --prefix)"/etc/{openssl@{1.1,3},ca-certificates}/cert.pem
brew reinstall ca-certificates
brew postinstall openssl@{1.1,3}
suiwenfeng
  • 101
  • 2