SSL problem with Cloudflare and curl on nginx configuration Ubuntu 18.04


#1

Greeting community,

We are currently building a webserver for one of our customer. They are using Cloudflare SSL certification for the website. I am not really knowledge in cloudflare but we followed the following link: https://www.digitalocean.com/community/tutorials/how-to-host-a-website-using-cloudflare-and-nginx-on-ubuntu-16-04

Everything seem’s to be great but we need curl for some work in the website.

Eveytime we run curl following command: curl -svo /dev/null https://exemple.ca/ 2>&1 | egrep -v “^{.|^}.*|^* http.$”

i have the following error: SSL certificate problem: unable to get local issuer certificate.

I already try to put cloudflare certificate and open certificate in php,ini file

curl.cainfo =/etc/ssl/certs/Certempcom.pem

Doe’s anybody have any idea of what is causing this?

Thanks a lot


#2

Are you sure you are connecting to the right host? Try openssl s_client -connect exemple.ca:443 and check where it connects to and what certificate you get.


#3

It first connect to cloudflare

After that i have the right certificate printing on screen

the error i have is : Verification error: unable to verify the first certificate

Those this help you?


#4

It might be that you dont have the full certificate chain. In which case you’d need to import it into your certificate store, for it to be trusted. Whats the domain?


#5

The domain is https://portail.emploiscompetences.com


#6

Unless you have an entry in the hosts file (have you checked for that?) that should be fine as that host is properly configured for Cloudflare. Just to rule out any local edge server issues, can you check your certificate chain involves two Comodo certificates plus the one issued for the host?

If that is the case your system trust store is most likely missing the Comodo certificates and hence cant validate your server certificate. You’d either need to add them to the system trust store or configure a custom one for that call.


#7

Thank you so much for this. I was into this issue and tired to tinker around to check if its possible but couldnt get it done. Now that i have seen the way you did it, thanks guys
with
regards


#8

We finally found the problem:

like Sandro said the chain was not full

when doing a check SSL or using a web browser they complete the certificate with the standard intermediate and trusted root certificate.

But when using curl or inside server command, you need to make a full .pem file with

----- certificate-----
----- certificate-----
----- Intermediate certificate-----
----- Intermediate certificate-----
----- Trusted root certificate-----
----- Trusted root certificate-----

Thanks for your help


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.