curl with certificates - Printable Version
+- IRIX Network Forums (//forums.irixnet.org)
+-- Forum: SGI/MIPS (//forums.irixnet.org/forum-3.html)
+--- Forum: IRIX/Software (//forums.irixnet.org/forum-7.html)
+---- Forum: Nekoware (//forums.irixnet.org/forum-56.html)
+---- Thread: curl with certificates (/thread-3553.html)
+- IRIX Network Forums (//forums.irixnet.org)
+-- Forum: SGI/MIPS (//forums.irixnet.org/forum-3.html)
+--- Forum: IRIX/Software (//forums.irixnet.org/forum-7.html)
+---- Forum: Nekoware (//forums.irixnet.org/forum-56.html)
+---- Thread: curl with certificates (/thread-3553.html)
curl with certificates - markh - 06-13-2022
Hello,
in trying to get Git running on Irix, I am running into a little problem with certificates.
It seems to be using curl to do the https requests and it somehow does not see the certificates, so it is refusing to connect.
I installed curl 7.60 from http://contrib.irixnet.org/dual-mips3-mips4/
Running curl on an https connection fails with the following error:
curl: (60) SSL certificate problem: unable to get local issuer certificate
I have downloaded the most recent cacert.pem file from the curl website and put it in/usr/nekoware/certs and pointing to it with the cacert commandline option does make it work. It is just that with only capath specified or relying on the built-in path (/usr/nekoware/certs/) it fails. I also ran c_rehash and though I can see that it makes a symlink in /usr/nekoware/certs/ it does not help.
Does anyone know what I am doing wrong?
RE: curl with certificates - Raion - 06-14-2022
Set an env variable in your shell. What shell are you using?
RE: curl with certificates - markh - 06-14-2022
Which env variable should I be setting? I am using tcsh.
Hmm, did some more digging and it seems that in order to use the directory /usr/nekoware/certs I need to split up the cacert.pem file into a file per certificate. I tested it with the ISRG Root X1 certificate which is needed by https://curl.se and then curl can connect fine.
I looked for a script to split the file and found https://stackoverflow.com/questions/23644473/how-can-i-split-a-ca-certificate-bundle-into-separate-files#25316445 but the answers there don't seem to work on Irix or I am doing something wrong. I don't have a lot of experience with regular expressions, so I am not too sure what is wrong.
RE: curl with certificates - markh - 06-24-2022
I checked how HaikuOS was doing this as I have that easily available and they seem to have compiled curl with a cafile (pointing to cacert.pem) instead of using the capath as the nekoware version. Using the capath seems more elegant, so I had a look at splitting up the file.
I managed to make an awk script that worked for me to split up the cacert.pem file into individual pem files.
It is as follows:
Code:
/\=\=\=\=/ {filename=prevline}{prevline=$0}
/BEGIN CERTIFICATE/, /END CERTIFICATE/ {print > filename ".pem"}
/END CERTIFICATE/ {close filename ".pem"}You can save it in a file (for example split_certificates.awk) and then execute it with "awk -f split_certificates.awk cacert.pem". It will create a lot of pem files with the names set to the issuer. You can then copy those (excluding cacert.pem) to the /usr/nekoware/certs directory and run c_rehash (do both steps with a user that has rights to write to the folder).
Curl should then be able to access any https site with a valid certificate (assuming the root certificate was in the cacert.pem file).
This fixed my problem with Git and I can now clone a project, though I have only done a little bit of testing so far.