Skip to content

Instantly share code, notes, and snippets.

@1stvamp
Created March 22, 2012 12:50
Show Gist options
  • Save 1stvamp/2158128 to your computer and use it in GitHub Desktop.
Save 1stvamp/2158128 to your computer and use it in GitHub Desktop.
Script to install cURL CA certificates on OS X without macports
#!/bin/bash
mkdir /tmp/curl-ca-bundle
cd /tmp/curl-ca-bundle
wget http://curl.haxx.se/download/curl-7.22.0.tar.bz2
tar xzf curl-7.22.0.tar.bz2
cd curl-7.22.0/lib/
./mk-ca-bundle.pl
if [ ! -d /usr/share/curl/ ]; then
sudo mkdir -p /usr/share/curl/
else
sudo mv /usr/share/curl/ca-bundle.crt /usr/share/curl/ca-bundle.crt.original
fi
sudo mv ca-bundle.crt /usr/share/curl/ca-bundle.crt
echo
echo "Done!"
@bigeasy
Copy link

bigeasy commented Jan 29, 2013

Thank you for this. I've used it here...

flatheadmill/dotfiles@f2a25e1

@tvwerkhoven
Copy link

This is insecure as the source is not verified at all. Better is to use a package manager to do this, which usually check the package integrity automatically.

@kedarmhaswade
Copy link

@tvwerkhoven no port exists for ca-certificates for the Mac :-(

@w6jve
Copy link

w6jve commented Aug 4, 2014

I used the above ritual, suitably modified for current stuff, on a Mac MacOS 10.5 with TQSL to get around
"peer certificate can't be authenticated with known CA certificates" but now it says "problem with
the SSL CA cert (path: /usr/share/curl/curl-ca-bundle.crt CA path: none) How do I fix that?

@w6jve
Copy link

w6jve commented Aug 4, 2014

Oh! Looks like I misnamed the ca-bundle.crt file

@ashutoshrishi
Copy link

Hi people coming here on El Capitan, you will not be able to modify /usr/share or anything outside /usr/local due to the new SIP. And hence this script won't run as-is. While you can disable it, it's fine to just keep things in /usr/local. So this is the easy workaround for the above script (if you look at it closely it's quite trivial):

All you need is the .crt file which you are getting through:

wget http://curl.haxx.se/download/curl-7.22.0.tar.bz2
tar xzf curl-7.22.0.tar.bz2
cd curl-7.22.0/lib/
./mk-ca-bundle.pl

the lib/ folder will now have the .crt file so just move it to some place accessible to you like:
mv ca-bundle.crt ~/.weechat/certs/

And then in weechat make /set weechat.network.gnutls_ca_file "~/.weechat/certs/ca-bundle.crt"

@bIgBV
Copy link

bIgBV commented Dec 7, 2015

@ashutoshrishi thanks for the detailed response. I got a ssl connection working through this. 👍

@ywecur
Copy link

ywecur commented Dec 14, 2015

@ashutoshrishi Thank you. I got it working as well 😄

@mcmire
Copy link

mcmire commented Jun 22, 2016

The above commands didn't seem to work on El Capitan for me, possibly because of a newer version of Perl I have.

curl 7.22 is old anyway, you'll want to download 7.49 instead:

wget http://curl.haxx.se/download/curl-7.49.1.tar.gz
tar xzf curl-7.49.1.tar.gz
cd curl-7.49.1/lib/
./mk-ca-bundle.pl

@ashokayengar
Copy link

thanks mcmire this works perfectly

@mxl
Copy link

mxl commented Sep 3, 2016

If you installed curl with brew install curl then mk-ca-bundle.pl is already at /usr/local/Cellar/curl/x.y.z/libexec/mk-ca-bundle.pl.

@cellulosa
Copy link

cellulosa commented Sep 17, 2016

@ashutoshrishi @mcmire @mxl I installed curl with brew, then I run mk-ca-bundle.pl from /usr/local/Cellar/curl/7.50.3/libexec/.
I then moved ca-bundle.crt under ~/.weechat/certs/ and set /set weechat.network.gnutls_ca_file "~/.weechat/certs/ca-bundle.crt" in weechat.
Yet, I can't connect to any server using SSL.

I have also tried to install openssl (with brew) and set /set weechat.network.gnutls_ca_file "/usr/local/etc/openssl/cert.pem" (source) - but still no luck.

Playing with /set irc.server.servername.ssl_dhkey_sizedoes not help either (source).

Any ideas?

ps. I am running MacOS 10.11.6 and weechat 1.5 installed with brew install weechat --with-perl --with-python --with-lua --with-ruby

@3lpsy
Copy link

3lpsy commented Oct 24, 2016

@cellulosa

If @ashutoshrishi solution is not working, you may need to complete two additional steps.

After running:

wget http://curl.haxx.se/download/curl-7.49.1.tar.gz
tar xzf curl-7.49.1.tar.gz
cd curl-7.49.1/lib/

Check to see if you are receiving the error: Couldn't open certdata.txt: No such file or directory at ./mk-ca-bundle.pl line 126..

If this is the case, open the script and look for the release url for certdata.

Get the certdata file and place it in the same directory as the ./mk-ca-bundle.pl

wget https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt

Finally, run:

./mk-ca-bundle.pl

Don't forget to tell weechat where the new ca-bundle.crt is:

weechat: /set weechat.network.gnutls_ca_file = "~/.weechat/certs/ca-bundle.crt"

You may need to add this file to the ~/.weechat/weechat.conf if it does not persist across sessions

@bradbaris
Copy link

@ElpsySec Thanks much for this

@tianp
Copy link

tianp commented Nov 18, 2016

@ElpsySec thank you!

@oblitum
Copy link

oblitum commented Jan 20, 2018

Setting /set weechat.network.gnutls_ca_file "/usr/local/etc/openssl/cert.pem" as in WeeChat FAQ works for me. Homebrew OpenSSL Caveats says:

==> Caveats
A CA file has been bootstrapped using certificates from the SystemRoots
keychain. To add additional certificates (e.g. the certificates added in
the System keychain), place .pem files in
  /usr/local/etc/openssl/certs

and run
  /usr/local/opt/openssl/bin/c_rehash

This formula is keg-only, which means it was not symlinked into /usr/local,
because Apple has deprecated use of OpenSSL in favor of its own TLS and crypto libraries.

If you need to have this software first in your PATH run:
  echo 'export PATH="/usr/local/opt/openssl/bin:$PATH"' >> ~/.zshrc

For compilers to find this software you may need to set:
    LDFLAGS:  -L/usr/local/opt/openssl/lib
    CPPFLAGS: -I/usr/local/opt/openssl/include
For pkg-config to find this software you may need to set:
    PKG_CONFIG_PATH: /usr/local/opt/openssl/lib/pkgconfig

@dotinspace
Copy link

Confirming that solution provided by @oblitum works. Many thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment