Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
stallwoodj
Collaborator
Collaborator
Jump to solution

curl_cli doesn't pick up CA bundle by default

 

Hi, 

I've noticed that all my R81.x firewalls don't seem to run curl_cli any more without an error. This also affects management servers as well as gateways, regardless of HTTPS inspection being deployed or not.

[Expert@FW-TH:0]# curl_cli -v https://www.checkpoint.com/
*   Trying 54.192.137.127...
* TCP_NODELAY set
* Connected to www.checkpoint.com (54.192.137.127) port 443 (#0)
* ALPN, offering http/1.1
* *** Current date is: Wed Jun 26 15:03:16 2024
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* err is -1, detail is 2
* *** Current date is: Wed Jun 26 15:03:16 2024
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* err is -1, detail is 2
* *** Current date is: Wed Jun 26 15:03:16 2024
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* err is -1, detail is 1
* errdetail=0x1416f086
ERR_lib_error_string: SSL routines
 ERR_func_error_string: tls_process_server_certificate
 ERR_reason_error_string: certificate verify failed
 ERR_error_string: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.


[Expert@FW-TH:0]# grep -i Globalsign.*R3 $CPDIR/conf/ca-bundle.crt
GlobalSign Root CA - R3
 
 
 
If you force the CA bundle option, all is fine e.g.
curl_cli --cacert $CPDIR/conf/ca-bundle.crt https://updates.checkpoint.com/WebService/Monitor

 

Do we know when this GAiA issue will be addressed?

 

Thanks

Jamie

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

This has been the case in earlier versions as well, as far as I can remember.

View solution in original post

0 Kudos
5 Replies
the_rock
Legend
Legend

Never noticed that Jamie, but you are 100% right. I also tested in the lab, cluster with ssl inspection and single fw without it, exact same output.

Andy

stallwoodj
Collaborator
Collaborator

I'm convinced it used to work fine, but even R81.0 seems to have the issue. I've raised an SR but not made any headway... yet.

0 Kudos
the_rock
Legend
Legend

Let us know what thay say. I tested R81.20 jumbo 70 (very latest) and R82 (no jumbo yet) anbd EXACT same issue. You can even mention that to them if you like or simply link this post to the ticket.

Andy

0 Kudos
PhoneBoy
Admin
Admin

This has been the case in earlier versions as well, as far as I can remember.

0 Kudos
the_rock
Legend
Legend

That makes sense.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events