#474: Outdated CA Certificates -------------------+--------------------------- Reporter: maphew | Owner: osgeo4w-dev@… Type: defect | Status: new Priority: major | Component: Package Version: | Keywords: curl, openssl -------------------+--------------------------- I believe either [wiki:pkg-curl], or more likely [wiki:pkg-openssl] have outdated CA Certificates, because downloading new certificates and pointing curl at them resolves `error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed`
Demonstrate error: {{{ C:\OSGeo4W>curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py curl: (60) SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). The default bundle is named curl-ca-bundle.crt; you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. }}} Demonstrate workaround: {{{ C:\OSGeo4W>curl http://curl.haxx.se/ca/cacert.pem -o ca-bundle.crt % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 250k 100 250k 0 0 178k 0 0:00:01 0:00:01 --:--:-- 255k C:\OSGeo4W>curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py --cacert ca-bundle.crt % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1379k 100 1379k 0 0 319k 0 0:00:04 0:00:04 --:--:-- 701k }}} I'm not sure what the appropriate is folder to put the updated `ca- bandle.crt` in so the problem is fixed permanently. There is `C:\OSGeo4W\apps\Qt4\certs` but something like `etc/pki/tls...` or `apps/openssl` looks more "system" and not qt-app specific. Sources: - http://stackoverflow.com/a/30728558/14420 -- Ticket URL: <https://trac.osgeo.org/osgeo4w/ticket/474> OSGeo4W <http://trac.osgeo.org/osgeo4w> OSGeo4W is the Windows installer and package environment for the OSGeo stack. _______________________________________________ osgeo4w-dev mailing list osgeo4w-dev@lists.osgeo.org http://lists.osgeo.org/mailman/listinfo/osgeo4w-dev