Error Reading Cacert File /etc/ssl/certs/ca-certificates.crt
communities company blog Stack Exchange Inbox Reputation and Badges sign up log in tour help Tour Start here for a quick overview of the site Help Center Detailed answers to any questions you might have Meta Discuss the workings and policies of this site About Us Learn more about Stack Overflow the company Business Learn more about hiring developers or posting ads with us Ask Ubuntu Questions Tags Users Badges Unanswered Ask Question _ Ask Ubuntu is a question and answer site for Ubuntu users and developers. Join them; it only takes a minute: Sign up Here's how it works: Anybody can ask a question Anybody can answer The best answers are voted up and rise to the top Permission Issues with /etc/ssl/certs/ca-certificates.crt up vote 1 down vote favorite When trying to curl or git clone something over HTTPS as a regular user, it fails with the error: fatal: unable to access 'https://github.com/mikemackintosh/xxx/': Problem with the SSL CA cert (path? access rights?) Note: If i run the commands as root, it works fine, but root should not be the only user able to communicate over ssl. So I think to myself, ok, what's curl doing behind the scenes: $ GIT_CURL_VERBOSE=1 git clone https://github.com/mikemackintosh/xxx Cloning into 'xxx'... * Couldn't find host github.com in the .netrc file; using defaults * Hostname was NOT found in DNS cache * Trying 192.30.252.130... * Connected to github.com (192.30.252.130) port 443 (#0) * error reading ca cert file /etc/ssl/certs/ca-certificates.crt (Error while reading file.) * Closing connection 0 fatal: unable to access 'https://github.com/mikemackintosh/xxx/': Problem with the SSL CA cert (path? access rights?) As a result, we are able to confirm the ca-certificate file is: /etc/ssl/certs/ca-certificates.crt which matches curl-config -ca output. The next step is to try and read the file. As just a plain-old, non-root user: $ cat /etc/ssl/certs/ca-certificates.crt cat: /etc/ssl/certs/ca-certificates.crt: Permission denied Now that seems strange. $ sudo
here for a quick overview of the site Help Center Detailed answers to any questions you might have Meta Discuss the workings and policies of this site About Us Learn more about Stack Overflow the company Business Learn more about hiring developers or posting ads with us Stack Overflow Questions Jobs Documentation Tags Users Badges Ask Question x Dismiss Join the Stack Overflow Community Stack Overflow is a community of http://askubuntu.com/questions/636962/permission-issues-with-etc-ssl-certs-ca-certificates-crt 4.7 million programmers, just like you, helping each other. Join them; it only takes a minute: Sign up server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none up vote 116 down vote favorite 40 I can push by clone project using ssh, but it doesn't work when I clone project with https. it shows message http://stackoverflow.com/questions/21181231/server-certificate-verification-failed-cafile-etc-ssl-certs-ca-certificates-c error as below. server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none certificate ssl-certificate gitlab share|improve this question edited Jan 17 '14 at 8:53 VonC 626k19018011886 asked Jan 17 '14 at 8:34 Sokhom Ratanak 587266 possible duplicate of SSL certificate rejected trying to access GitHub over HTTPS behind firewall –Oleg Jul 11 '14 at 12:53 1 I don't think it's really a duplicate. In that question there were no CA files at all. Quite related, sure. –uli_1973 Jul 8 '15 at 15:33 add a comment| 12 Answers 12 active oldest votes up vote 155 down vote TLDR: hostname=XXX port=443 trust_cert_file_location=`curl-config --ca` sudo bash -c "echo -n | openssl s_client -showcerts -connect $hostname:$port 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >> $trust_cert_file_location" Long answer The basic reason is that your computer doesn't trust the certificate authority that signed the certificate used on the Gitlab server. This doesn't mean the certificate is suspicious, but it could be self-signed or s
MotorsUSB WiFi & Building a Linux KernelImage Processing & OpenCVStreaming Video & Custom Video PlayerThe Raspberry PIThe ArduinoArduino LCD TutorialArduino RGB LED TutorialSerial to Parallel ConversionDriving a http://derekmolloy.ie/fixing-git-and-curl-certificates-problem-on-beaglebone-blac/ 8×8 LED Matrix using the ArduinoArduino on a BreadboardArduino Reaction Timer with LCD DisplayAVR Programming Introduction TutorialAVR ProgrammingGeneral Source Code for VideosTools for ElectronicsElectronics ProjectsBlog BlogBeagleBone https://curl.haxx.se/docs/sslcerts.html BlogRaspberry PIDigital ElectronicsOther FAQAbout HomeEmbedded Systems The BeagleboneGetting Started - USB Network AdapterC++ Development with EclipseAdding Java and Eclipse DevelopmentGPIO ProgrammingAn I2C TutorialQt on the BeagleboneDriving Stepper error reading MotorsUSB WiFi & Building a Linux KernelImage Processing & OpenCVStreaming Video & Custom Video PlayerThe Raspberry PIThe ArduinoArduino LCD TutorialArduino RGB LED TutorialSerial to Parallel ConversionDriving a 8×8 LED Matrix using the ArduinoArduino on a BreadboardArduino Reaction Timer with LCD DisplayAVR Programming Introduction TutorialAVR ProgrammingGeneral Source Code for VideosTools for ElectronicsElectronics ProjectsBlog BlogBeagleBone BlogRaspberry error reading cacert PIDigital ElectronicsOther FAQAbout Git and Curl SSL Certificates Configuration on Beaglebone Black HomeBlogBeagleboneGit and Curl SSL Certificates Configuration on Beaglebone Black Previous Next Git and Curl SSL Certificates Configuration on Beaglebone BlackI have noticed that on the Beaglbone Black that I am constantly having problems with git and curl when it comes to https sites. This post addresses the configuration problems and shows you different ways to solve the problem that may suit your particular needs.Fixing the SSL problems with GitOut of the box, if you try to commit to a github repository using https (a requirement of github) then you will have difficulties with certificates. The error you will get looks like this (I'm using -v for verbose mode): root@beaglebone:~# git clone https://github.com/derekmolloy/boneCV.git -v Cloning into 'boneCV'... fatal: unable to access 'https://github.com/derekmolloy/boneCV.git/': Problem with the SSL CA cert (path? access rights?)123root@beaglebone:~# git clone https://github.com/derekmolloy/boneCV.git -vCloning into 'boneCV'...fatal: unable to access 'https://github.com/derekmolloy/boneCV.git/': Problem with the SSL CA cert (pa
If libcurl was built with Schannel or Secure Transport support (the native SSL libraries included in Windows and Mac OS X), then this does not apply to you. Scroll down for details on how the OS-native engines handle SSL certificates. If you're not sure, then run "curl -V" and read the results. If the version string says "WinSSL" in it, then it was built with Schannel support. It is about trust This system is about trust. In your local CA certificate store you have certs from trusted Certificate Authorities that you then can use to verify that the server certificates you see are valid. They're signed by one of the CAs you trust. Which CAs do you trust? You can decide to trust the same set of companies your operating system trusts, or the set one of the known browsers trust. That's basically trust via someone else you trust. You should just be aware that modern operating systems and browsers are setup to trust hundreds of companies and recent years several such CAs have been found untrustworthy. Certificate Verification libcurl performs peer SSL certificate verification by default. This is done by using a CA certificate store that the SSL library can use to make sure the peer's server certificate is valid. If you communicate with HTTPS, FTPS or other TLS-using servers using certificates that are signed by CAs present in the store, you can be sure that the remote server really is the one it claims to be. If the remote server uses a self-signed certificate, if you don't install a CA cert store, if the server uses a certificate signed by a CA that isn't included in the store you use or if the remote host is an impostor impersonating your favorite site, and you want to transfer files from this server, do one of the following: Tell libcurl to not verify the peer. With libcurl you disable this with curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, FALSE); With the curl command line tool, you disable this with -k/--insecure. Get a CA certificate that can verify the remote server and use the proper option to point out this CA cert for verificatio