# curl (I think) problem

## curmudgeon

A program that uses curl keeps coughing out:

```

Peer certificate cannot be authenticated with given CA certificates: SSL certificate problem, verify that the CA cert is OK. Details:

error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

```

I have spent a significant amount of time searching for a solution, and most of the suggestions involve a lack of (or obsolete) root certificates. Since I have the latest ca-certificates installed (with no broken links or other obvious problems), that doesn't seem like the source of the issue.

Information about the certificate (which I learned how to get from all of my reading):

```

$ openssl s_client -host signin.ebay.com -port 443

CONNECTED(00000003)

depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5

verify error:num=20:unable to get local issuer certificate

verify return:0

---

Certificate chain

 0 s:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=2871352/C=US/postalCode=95125/ST=California/L=San Jose/street=2145 Hamilton Ave/O=eBay Inc./OU=Site Operations/CN=signin.ebay.com

   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL CA

 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL CA

   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5

 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5

   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority

---

Server certificate

-----BEGIN CERTIFICATE-----

MIIIXjCCB0agAwIBAgIQPqLLa6xb3tYmpa6m2RTjDDANBgkqhkiG9w0BAQUFADCB

ujELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL

ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug

YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNjE0MDIGA1UEAxMr

VmVyaVNpZ24gQ2xhc3MgMyBFeHRlbmRlZCBWYWxpZGF0aW9uIFNTTCBDQTAeFw0x

MTAxMTkwMDAwMDBaFw0xMzAxMjMyMzU5NTlaMIIBCjETMBEGCysGAQQBgjc8AgED

EwJVUzEZMBcGCysGAQQBgjc8AgECEwhEZWxhd2FyZTEdMBsGA1UEDxMUUHJpdmF0

ZSBPcmdhbml6YXRpb24xEDAOBgNVBAUTBzI4NzEzNTIxCzAJBgNVBAYTAlVTMQ4w

DAYDVQQRFAU5NTEyNTETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxQIU2Fu

IEpvc2UxGjAYBgNVBAkUETIxNDUgSGFtaWx0b24gQXZlMRIwEAYDVQQKFAllQmF5

IEluYy4xGDAWBgNVBAsUD1NpdGUgT3BlcmF0aW9uczEYMBYGA1UEAxQPc2lnbmlu

LmViYXkuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3fF7qsUm

ltnVU395Tlg8wEMITNv3X1hCXr4Engs3DLnta2LzDH2HR2hkAZhs7QwFADlCZ0/I

6LLQ6HChhF91HcrL3fbM9eQphBMrQ5QhqKqDZa2YMR2VJy3OaxqHjTlrgseES2CJ

B0DJoQ31NxEpj4dETfkK2fDHhvFYj//RyneIFIkvaw0F2hOBYbKWBfMx0uK/VX9/

4LYKQw6xBp/2T9MSXU0jP1pqwrtg8c0l6vB9ijF/SY5pLZZOYMmJ7QLpSRIflqLs

P4Voz1c4RDmyhm/RS421SaUzlarPeMnof1HoTsO/hUXow0vhfYt4OklKV3T6gcZ2

+DR2jnUL6QjRdwIDAQABo4IECzCCBAcwggIUBgNVHREEggILMIICB4IPc2lnbmlu

LmViYXkuY29tgg5zaWduaW4uZWJheS5hdIIOc2lnbmluLmViYXkuYmWCDnNpZ25p

bi5lYmF5LmNhgg5zaWduaW4uZWJheS5jaIIOc2lnbmluLmViYXkuZGWCDnNpZ25p

bi5lYmF5LmVzgg5zaWduaW4uZWJheS5mcoIOc2lnbmluLmViYXkuaWWCDnNpZ25p

bi5lYmF5Lmlugg5zaWduaW4uZWJheS5pdIIOc2lnbmluLmViYXkubmyCDnNpZ25p

bi5lYmF5LnBogg5zaWduaW4uZWJheS5wbIIRc2lnbmluLmViYXkuY28udWuCEnNp

Z25pbi5lYmF5LmNvbS5hdYISc2lnbmluLmViYXkuY29tLmhrghJzaWduaW4uZWJh

eS5jb20ubXmCEnNpZ25pbi5lYmF5LmNvbS5zZ4ITc2lnbmluLmJlZnIuZWJheS5i

ZYITc2lnbmluLmJlbmwuZWJheS5iZYITc2lnbmluLmNhZnIuZWJheS5jYYIXc2ln

bmluLmV4cHJlc3MuZWJheS5jb22CFHNpZ25pbi5oYWxmLmViYXkuY29tghxzaWdu

aW4ubGl2ZWF1Y3Rpb25zLmViYXkuY29tghhzaWduaW4uc2hvcHBpbmcuZWJheS5j

b22CG3NpZ25pbi53b3JsZG9mZ29vZC5lYmF5LmNvbTAJBgNVHRMEAjAAMB0GA1Ud

DgQWBBTgXmYC0gjb9HFTji+RYF/OtcPJWTALBgNVHQ8EBAMCBaAwQgYDVR0fBDsw

OTA3oDWgM4YxaHR0cDovL0VWU2VjdXJlLWNybC52ZXJpc2lnbi5jb20vRVZTZWN1

cmUyMDA2LmNybDBEBgNVHSAEPTA7MDkGC2CGSAGG+EUBBxcGMCowKAYIKwYBBQUH

AgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEwHQYDVR0lBBYwFAYIKwYB

BQUHAwEGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFPyKULqeuSVae1WFT5UAY4/pWGtD

MHwGCCsGAQUFBwEBBHAwbjAtBggrBgEFBQcwAYYhaHR0cDovL0VWU2VjdXJlLW9j

c3AudmVyaXNpZ24uY29tMD0GCCsGAQUFBzAChjFodHRwOi8vRVZTZWN1cmUtYWlh

LnZlcmlzaWduLmNvbS9FVlNlY3VyZTIwMDYuY2VyMG4GCCsGAQUFBwEMBGIwYKFe

oFwwWjBYMFYWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFEtruSiWBgy70FI4myms

SweLIQUYMCYWJGh0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28xLmdpZjAN

BgkqhkiG9w0BAQUFAAOCAQEAOEmD2bGiV4C0ba2GKakTphtGPA7uIVn6b0TeSUIF

6YHzzNlxU/yxumI1ghdmqaLUARvLVdNoEk4m7HoWLEDRVTJO6/BDGUK4I06c8u20

F2oW7qJCSgQbtyg62n/NeSmN4zMJo8JLTXfyIeZ6kjRj1SdKupyI/DnQVWaQNBv7

4IMelo0yQNeeNEF4/INZxaLdc6o1x8A0FOvKaM+16MrnJSsNXO0sioufC22zRIPw

o6rJ7sQx6ZhEefUgxBCgSJcpBkUUP6II0a/cQzMP5OUXkcKTnfoYAqSQmKRVSKCR

CqXkeyEODiBRQyvG2jsFFpYWKSQlLR08qs1usFHkx363Cw==

-----END CERTIFICATE-----

subject=/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=2871352/C=US/postalCode=95125/ST=California/L=San Jose/street=2145 Hamilton Ave/O=eBay Inc./OU=Site Operations/CN=signin.ebay.com

issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL CA

---

No client certificate CA names sent

---

SSL handshake has read 5063 bytes and written 525 bytes

---

New, TLSv1/SSLv3, Cipher is RC4-SHA

Server public key is 2048 bit

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

SSL-Session:

    Protocol  : TLSv1

    Cipher    : RC4-SHA

    Session-ID: 19C53BDA34AB23BE509E112E0D6234A8F209CF862A51CAFFC345E6B633D2FCB1

    Session-ID-ctx: 

    Master-Key: B499B19F933DC62250CB5D8933DA9EDE06C47163C1A6249B02E1DD351A33AA1D8E4EC9CAD15EA8C97907DB6B0490A85A

    Key-Arg   : None

    PSK identity: None

    PSK identity hint: None

    Start Time: 1331085860

    Timeout   : 300 (sec)

    Verify return code: 20 (unable to get local issuer certificate)

---

```

Can someone tell me why curl always fails to authenticate this?

----------

## truc

is it specific to a server?

There is an entry in curl's FAQ concerning a problem with some SSL server ("4.1 Problems connecting to SSL servers."). work around were to either use --sslv3 or --sslv2?

----------

