Unable to verify BCU's CA

[erovira]

When trying to do a POST request to bcu.gub.uy from Ubuntu, both curl and wget fail with the following messages

curl --verbose --header "Content-Type: application/json" --request POST https://www.bcu.gub.uy/_layouts/15/BCU.Cotizaciones/handler/CotizacionesHandler.ashx?op=getcotizaciones --data '{"KeyValuePairs": {"Monedas": [{"Val": "2225","Text": "DLS. USA BILLETE"}],"FechaDesde": "20/05/2024","Grupo": "2"}}'
Note: Unnecessary use of -X or --request, POST is already inferred.
* Host www.bcu.gub.uy:443 was resolved.
* IPv6: (none)
* IPv4: 190.0.157.55
*   Trying 190.0.157.55:443...
* Connected to www.bcu.gub.uy (190.0.157.55) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

wget --verbose --method POST --header='Content-Type: application/json' --body-data='{"KeyValuePairs": {"Monedas": [{"Val": "2225","Text": "DLS. USA BILLETE"}],"FechaDesde": "20/05/2024","Grupo": "2"}}' --output-document=/dev/stdout https://www.bcu.gub.uy/_layouts/15/BCU.Cotizaciones/handler/CotizacionesHandler.ashx?op=getcotizaciones
--2024-06-02 00:09:50--  https://www.bcu.gub.uy/_layouts/15/BCU.Cotizaciones/handler/CotizacionesHandler.ashx?op=getcotizaciones
Resolving www.bcu.gub.uy (www.bcu.gub.uy)... 190.0.157.55
Connecting to www.bcu.gub.uy (www.bcu.gub.uy)|190.0.157.55|:443... connected.
ERROR: cannot verify www.bcu.gub.uy's certificate, issued by ‘CN=Abitab SSL Organization Validated,OU=IDdigital,O=Abitab S.A.,C=UY’:
  Unable to locally verify the issuer's authority.
To connect to www.bcu.gub.uy insecurely, use `--no-check-certificate'.

The site is indeed secure, you can go to https://www.bcu.gub.uy and inspect the certificates yourself, but for some reason in Ubuntu, neither curl nor wget are able to download it and attach it to /etc/ssl/certs/ca-certificates.crt; which if we do manually fixes the issue.

[sebastian-correa]

I get the same error in my Fedora 40 machine:

❯ curl --verbose --header "Content-Type: application/json" --request POST --data "$body" "$url"
Note: Unnecessary use of -X or --request, POST is already inferred.
* Host www.bcu.gub.uy:443 was resolved.
* IPv6: (none)
* IPv4: 190.0.157.55
*   Trying 190.0.157.55:443...
* Connected to www.bcu.gub.uy (190.0.157.55) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
*  CApath: none
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Version info:

❯ cat /etc/fedora-release
Fedora release 40 (Forty)
❯ curl --version
curl 8.6.0 (x86_64-redhat-linux-gnu) libcurl/8.6.0 OpenSSL/3.2.1 zlib/1.3.0.zlib-ng libidn2/2.3.7 nghttp2/1.59.0
Release-Date: 2024-01-31
Protocols: file ftp ftps http https ipfs ipns
Features: alt-svc AsynchDNS GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz SPNEGO SSL threadsafe UnixSockets