Closed bung87 closed 3 months ago
I have to "get extract the CA cert for a particular server" according to https://curl.se/docs/sslcerts.html
openssl s_client -showcerts -servername server -connect server:443 > cacert.pem
and modify puppy/platforms/linux/platform.nim
discard curl.easy_setopt(OPT_CAINFO, "cacert.pem".cstring)
sovled by Ras's helps.
the server is not presenting the full chain (your cert + GoDaddy Secure G2 (intermediate) + GoDaddy Root G2), only your certificate. For browsers, this is not a problem, because browsers are smart enough to resolve the full chain via the Issuer field even if it is not present. However, OpenSSL (and curl) require that the full chain be provided in the certificate. Since the issuer is Secure G2 and not Root C2, and the system CA store only includes the Root C2 and not the Secure G2, OpenSSL does not know how to resolve this chain and fails with the error you see. The correct solution is for the server to provide a certificate chain where both the your domain certificate and the Go Daddy Secure Certificate Authority - G2 certificates are provided.
it works for site like
https://google.com
, not work for my site, however the cert valid in browsers. after searching on internet, I still can't figure it out.os: Crunchbangplusplus 12