[Info-vax] %CURL-E-SSL_CERTPROBLEM, SSL problem with the local certificate

Mon Oct 12 09:41:25 EDT 2009

Adam Sutton wrote:
> Dear all,
> 
> I have curl 7.19.5 installed on Alpha - VMS 8.3, with SSL V1.3-281.
> 
> Using curl without SSL works fine and performs as expected.  Earlier
> this month I raised a support call with HP since, when using curl with
> SSL, I keep getting the following error:
> 
> $ curl -v --ftp-ssl -o filelist.txt --cacert TATsubCA.pem --cert
> certkey.pem:Password ftp://test.example.com/ -l -

Unless you really meant the domain somewhere, please use the RFC 
designated domains of example.com .org or .net for examples.

> -key privkey.pem -k -u my_user:my_pass
> * About to connect() to test.cdinternet.com port 21 (#0)
> *   Trying an.ip.ad.dr.ess... connected
> * Connected to test.somwehere.com (an.ip.ad.dr.ess) port 21 (#0)
> < 220-Hello, Welcome to Someone
> < 220-
> < 220 FTP server ready.
>> AUTH SSL
> < 234 SSLv23/TLSv1
> * libcurl is now using a weak random seed!
> * unable to set private key file: 'privkey.pem' type PEM
> * Closing connection #0
> 
> %CURL-E-SSL_CERTPROBLEM, SSL problem with the local certificate
> 
> Has anyone had any similar experience?  I have managed to get the same
> configuration to work on my Windows PC, and on Linux.  Any help would
> be appreciated.  HP have managed to re-create the problem and may go
> to Engineering, however Curl is not a supported product, so not sure
> how successful that is going to be.

I do not have a server with SSH and FTP enabled on it to try to 
reproduce your issue against.  I also am short on time right now to 
investigate why it is not working for you in that configuration.

Try adding a -v option to see if you can get more details.

The -k option is telling curl not to be concerned if the cert for your 
server is not in the -cacert file you specified.  If your -cacert file 
is set up correctly -k should not be used.

A google search of the error message showed quite a few things that 
could generate that error, the most likely being an incorrect password 
on the command line.

Are you aware that with default VMS process options that unless you 
quote your password it is converted to lower case before being passed to 
C programs like curl?

Also, VMS does not have any default paths for certificates or 
certificate authorities.

If that solves your problem then:

A slightly newer curl 17.19.6 is available from 
ftp://encompasserve.org/gnv.  It should set the DECC options for case 
sensitive parsing when SET PROCESS/PARSE=EXTENDED is active.  It is also 
suitable for running in scripts under GNV Bash.

-John
wb8tyw at qsl.network
Personal Opinion Only