Skip to main content
Unix & Linux

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

Required fields*

7
  • 1
    There seems to be a solution there: stackoverflow.com/a/21262787/6368697 Commented Jun 22, 2018 at 2:20
  • 1
    @PatrickMevzek No, "without modifying anything in /etc" is not satisfied by that solution. Commented Jun 22, 2018 at 2:58
  • 1
    Although there's no real CA, a selfsigned cert is effectively treated as its own CA for validation purposes. Try openssl x509 <file to make sure it's in the right format and openssl s_client ... -CAfile file to see if that validates. (BTW -showcerts only applies to chain certs from the server and is meaningless when there are no chain certs.) Also, curl doesn't always use OpenSSL and if not it doesn't always accept exactly the same formats; check curl -V (uppercase V). Commented Jun 22, 2018 at 8:44
  • What do you mean by "make cURL trust it"? In general there is no notion of "trust" for self-signed certificates since anyone can make them. What is that you want? Only to accept that one certificate's fingerprint? Only a certain certificate including the extensions? Something else? Commented Oct 17, 2018 at 22:49
  • I'm having a similar issue. I get the certificate chain of a self-signed CA of our corporate proxy using the openssl s_client -showcerts answer, but curl -v --cacert cacert.pem URL won't add the self-signed CA as an explicit whitelisting of trust with CERT_TRUST_REVOCATION_STATUS_UNKNOWN. Commented Oct 24, 2018 at 23:13