Certificate verify failed perl

Question

I am running this bit of code from a cgi. It is supposed to insert a bit of text into the site: https://elibrary.ferc.gov/idmws/search/FercAdvSearch.asp and then return the response page and download the link on my server. This used to run but now does not. I get the "certificate verify failed" message. I am running perl 5.18.2 and using lwp::UserAgent. SSLlabs.com says the site has "Chain issues Contains anchor". Do I need to download one of the certificates to my server?

$q =~ s#\n#&#mg;

# Create a request
if( ! $acid ){
    print $query->start_html('Problems');
    print $query->h2('Request not processed.' . " No accession             number supplied" );
    print  $query->end_html;
}else{
#    my $req = HTTP::Request->new(POST => "https://elibrary.ferc.gov/idmws/search/advResults.asp");
    my $req = HTTP::Request->new(POST => "https://elibrary.ferc.gov/idmws/search/fercadvsearch.asp");
    $req->content_type('application/x-www-form-urlencoded');
    $req->content("$q");

    # Pass request to the user agent and get a response back
    my $res = $ua->request($req);

    #print "$q<br>\n";
    # Check the outcome of the response
    if ($res->is_success) {
        $html = $res->content;
        $html =~ s#=\s*'\.\./#='https://elibrary.ferc.gov/idmws/#g;
        # ACTION="advResults.asp"
        $html =~ s#ACTION="#ACTION="https://elibrary.ferc.gov/idmws/search/#g;
        $html =~ s#ACTION='#ACTION='https://elibrary.ferc.gov/idmws/search/#g;
        $html =~ s#HREF='intermediate.asp#HREF='https://elibrary.ferc.gov/idmws/search/intermediate.asp#gm;
        $html =~ s#HREF=(['"])([a-z,A-Z,0-9,-,_./]+).asp#HREF=${1}https://elibrary.ferc.gov/idmws/search/$2.asp#gmi;
        #<A href='intermediate.asp?link_info=yes&doclist=13518346'      target="_blank">INFO</A><BR><BR>
        print $html;
        print "($EndDate) ($StartDate)";
    }
    else {
        print "ERROR getting <A HREF='https://elibrary.ferc.gov/idmws/search/advResults.asp'>https://elibrary.ferc.gov/idmws/search/advResults.asp</a>" . $res->status_line. "\n";
    }
}

Answer 1

SSLlabs.com says the site has "Chain issues Contains anchor". Do I need to download one of the certificates to my server?

While it is a misconfiguration of the server just having the root certificate ("anchor") included in the certificates sent by the server is not a problem for the verification. It will be simply ignored. In fact, I have no problems accessing the site with a current LWP and with the default root CA on my installation at all.

This used to run but now does not. I get the "certificate verify failed" message.

As I said, it runs on my system without problems. And while the configuration of this server is terrible ( grade F in the SSLLabs report ) the configuration of the certificate and thus the verification of these is not a real problem.

Thus it is more likely that some changes were done on your system which caused it no longer to trust the necessary root CA (DigiCert Global Root CA). Unfortunately this configuration is outside of your code so it is unknown what was actually done here.

But to fix the problem for your specific case you can just download the necessary root certificate , write it into a file (like ca.pem ) and then give this file explicitly as root CA store for your program:

my $ua = LWP::UserAgent->new;
$ua->ssl_opts('SSL_ca_file' => 'ca.pem');