自签名认证 SSL 证书的问题

Question

I followed this guide to install certified self-signed SSL certificate on localhost and all works fine in Chrome (no longer any warning, everything is green if https is used on localhost pages):

Getting Chrome to accept self-signed localhost certificate

However, if I'm running same requests on Ubuntu console via CURL I'm getting unable to get local issuer certificate :

aherne@home-NUC8i7INH:~$ curl https://localhost
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

This issue reproduces in PHP using certificate from https://curl.haxx.se/ca/cacert.pem :

$ch = curl_init("https://localhost");
curl_setopt($ch, CURLOPT_CAINFO, "cacert.pem");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$body = curl_exec($ch);
if ($body===false) {
    throw new Exception(curl_error($ch), curl_errno($ch));
}
curl_close($ch);

On further verification, issue reproduces using openssl command:

aherne@home:~$ openssl s_client -connect localhost:443\\n CONNECTED(00000005) depth=0 C = RO, ST = Bucharest, L = Bucharest, O = Home, OU = Home, CN = localhost verify error:num=20: unable to get local issuer certificate verify return:1 depth=0 C = RO, ST = Bucharest, L = Bucharest, O = Home, OU = Home, CN = localhost verify error:num=21:unable to verify the first certificate verify return:1

---

Is there any way to trick CURL in accepting my certificate as well as my authority that certified it (same way as Chrome)? Making cURL skip SSL verification is a non-solution!

Answer 1

I believe the possible ways to have curl accept your certificate authority are located here:

https://curl.haxx.se/docs/sslcerts.html

I suspect this would be the easiest approach:

If you're using the curl command line tool, you can specify your own CA cert file by setting the environment variable CURL_CA_BUNDLE to the path of your choice.