|tar xzf curl-7.22.0.tar.bz2|
|if [ ! -d /usr/share/curl/ ]; then|
|sudo mkdir -p /usr/share/curl/|
|sudo mv /usr/share/curl/ca-bundle.crt /usr/share/curl/ca-bundle.crt.original|
|sudo mv ca-bundle.crt /usr/share/curl/ca-bundle.crt|
Dec 9, 2013
This is insecure as the source is not verified at all. Better is to use a package manager to do this, which usually check the package integrity automatically.
Jan 27, 2014
@tvwerkhoven no port exists for ca-certificates for the Mac :-(
I used the above ritual, suitably modified for current stuff, on a Mac MacOS 10.5 with TQSL to get around
"peer certificate can't be authenticated with known CA certificates" but now it says "problem with
the SSL CA cert (path: /usr/share/curl/curl-ca-bundle.crt CA path: none) How do I fix that?
Oh! Looks like I misnamed the ca-bundle.crt file
Sep 14, 2015
Hi people coming here on El Capitan, you will not be able to modify /usr/share or anything outside /usr/local due to the new SIP. And hence this script won't run as-is. While you can disable it, it's fine to just keep things in /usr/local. So this is the easy workaround for the above script (if you look at it closely it's quite trivial):
All you need is the .crt file which you are getting through:
wget http://curl.haxx.se/download/curl-7.22.0.tar.bz2 tar xzf curl-7.22.0.tar.bz2 cd curl-7.22.0/lib/ ./mk-ca-bundle.pl
the lib/ folder will now have the
.crt file so just move it to some place accessible to you like:
mv ca-bundle.crt ~/.weechat/certs/
And then in weechat make
/set weechat.network.gnutls_ca_file "~/.weechat/certs/ca-bundle.crt"
Dec 7, 2015
@ashutoshrishi thanks for the detailed response. I got a ssl connection working through this.
Dec 14, 2015
@ashutoshrishi Thank you. I got it working as well
Jun 22, 2016
The above commands didn't seem to work on El Capitan for me, possibly because of a newer version of Perl I have.
curl 7.22 is old anyway, you'll want to download 7.49 instead:
wget http://curl.haxx.se/download/curl-7.49.1.tar.gz tar xzf curl-7.49.1.tar.gz cd curl-7.49.1/lib/ ./mk-ca-bundle.pl
Sep 2, 2016
thanks mcmire this works perfectly
Sep 3, 2016
If you installed
brew install curl then
mk-ca-bundle.pl is already at
Sep 17, 2016
@ashutoshrishi @mcmire @mxl I installed
brew, then I run
I then moved
~/.weechat/certs/ and set
/set weechat.network.gnutls_ca_file "~/.weechat/certs/ca-bundle.crt" in weechat.
Yet, I can't connect to any server using SSL.
I have also tried to install
openssl (with brew) and set
/set weechat.network.gnutls_ca_file "/usr/local/etc/openssl/cert.pem" (source) - but still no luck.
/set irc.server.servername.ssl_dhkey_sizedoes not help either (source).
ps. I am running MacOS 10.11.6 and weechat 1.5 installed with
brew install weechat --with-perl --with-python --with-lua --with-ruby
Oct 24, 2016
If @ashutoshrishi solution is not working, you may need to complete two additional steps.
wget http://curl.haxx.se/download/curl-7.49.1.tar.gz tar xzf curl-7.49.1.tar.gz cd curl-7.49.1/lib/
Check to see if you are receiving the error:
Couldn't open certdata.txt: No such file or directory at ./mk-ca-bundle.pl line 126..
If this is the case, open the script and look for the release url for certdata.
Get the certdata file and place it in the same directory as the ./mk-ca-bundle.pl
Don't forget to tell weechat where the new ca-bundle.crt is:
weechat: /set weechat.network.gnutls_ca_file = "~/.weechat/certs/ca-bundle.crt"
You may need to add this file to the
~/.weechat/weechat.conf if it does not persist across sessions
Nov 3, 2016
@ElpsySec Thanks much for this
Nov 18, 2016
@ElpsySec thank you!
Jan 20, 2018
/set weechat.network.gnutls_ca_file "/usr/local/etc/openssl/cert.pem" as in WeeChat FAQ works for me. Homebrew OpenSSL Caveats says:
==> Caveats A CA file has been bootstrapped using certificates from the SystemRoots keychain. To add additional certificates (e.g. the certificates added in the System keychain), place .pem files in /usr/local/etc/openssl/certs and run /usr/local/opt/openssl/bin/c_rehash This formula is keg-only, which means it was not symlinked into /usr/local, because Apple has deprecated use of OpenSSL in favor of its own TLS and crypto libraries. If you need to have this software first in your PATH run: echo 'export PATH="/usr/local/opt/openssl/bin:$PATH"' >> ~/.zshrc For compilers to find this software you may need to set: LDFLAGS: -L/usr/local/opt/openssl/lib CPPFLAGS: -I/usr/local/opt/openssl/include For pkg-config to find this software you may need to set: PKG_CONFIG_PATH: /usr/local/opt/openssl/lib/pkgconfig
Feb 17, 2018
Confirming that solution provided by @oblitum works. Many thanks!
Thank you for this. I've used it here...