-
-
Save 1stvamp/2158128 to your computer and use it in GitHub Desktop.
#!/bin/bash | |
mkdir /tmp/curl-ca-bundle | |
cd /tmp/curl-ca-bundle | |
wget http://curl.haxx.se/download/curl-7.22.0.tar.bz2 | |
tar xzf curl-7.22.0.tar.bz2 | |
cd curl-7.22.0/lib/ | |
./mk-ca-bundle.pl | |
if [ ! -d /usr/share/curl/ ]; then | |
sudo mkdir -p /usr/share/curl/ | |
else | |
sudo mv /usr/share/curl/ca-bundle.crt /usr/share/curl/ca-bundle.crt.original | |
fi | |
sudo mv ca-bundle.crt /usr/share/curl/ca-bundle.crt | |
echo | |
echo "Done!" |
This is insecure as the source is not verified at all. Better is to use a package manager to do this, which usually check the package integrity automatically.
@tvwerkhoven no port exists for ca-certificates for the Mac :-(
I used the above ritual, suitably modified for current stuff, on a Mac MacOS 10.5 with TQSL to get around
"peer certificate can't be authenticated with known CA certificates" but now it says "problem with
the SSL CA cert (path: /usr/share/curl/curl-ca-bundle.crt CA path: none) How do I fix that?
Oh! Looks like I misnamed the ca-bundle.crt file
Hi people coming here on El Capitan, you will not be able to modify /usr/share or anything outside /usr/local due to the new SIP. And hence this script won't run as-is. While you can disable it, it's fine to just keep things in /usr/local. So this is the easy workaround for the above script (if you look at it closely it's quite trivial):
All you need is the .crt file which you are getting through:
wget http://curl.haxx.se/download/curl-7.22.0.tar.bz2
tar xzf curl-7.22.0.tar.bz2
cd curl-7.22.0/lib/
./mk-ca-bundle.pl
the lib/ folder will now have the .crt
file so just move it to some place accessible to you like:
mv ca-bundle.crt ~/.weechat/certs/
And then in weechat make /set weechat.network.gnutls_ca_file "~/.weechat/certs/ca-bundle.crt"
@ashutoshrishi thanks for the detailed response. I got a ssl connection working through this. 👍
@ashutoshrishi Thank you. I got it working as well 😄
The above commands didn't seem to work on El Capitan for me, possibly because of a newer version of Perl I have.
curl 7.22 is old anyway, you'll want to download 7.49 instead:
wget http://curl.haxx.se/download/curl-7.49.1.tar.gz
tar xzf curl-7.49.1.tar.gz
cd curl-7.49.1/lib/
./mk-ca-bundle.pl
thanks mcmire this works perfectly
If you installed curl
with brew install curl
then mk-ca-bundle.pl
is already at /usr/local/Cellar/curl/x.y.z/libexec/mk-ca-bundle.pl
.
@ashutoshrishi @mcmire @mxl I installed curl
with brew
, then I run mk-ca-bundle.pl
from /usr/local/Cellar/curl/7.50.3/libexec/
.
I then moved ca-bundle.crt
under ~/.weechat/certs/
and set /set weechat.network.gnutls_ca_file "~/.weechat/certs/ca-bundle.crt"
in weechat.
Yet, I can't connect to any server using SSL.
I have also tried to install openssl
(with brew) and set /set weechat.network.gnutls_ca_file "/usr/local/etc/openssl/cert.pem"
(source) - but still no luck.
Playing with /set irc.server.servername.ssl_dhkey_size
does not help either (source).
Any ideas?
ps. I am running MacOS 10.11.6 and weechat 1.5 installed with brew install weechat --with-perl --with-python --with-lua --with-ruby
If @ashutoshrishi solution is not working, you may need to complete two additional steps.
After running:
wget http://curl.haxx.se/download/curl-7.49.1.tar.gz
tar xzf curl-7.49.1.tar.gz
cd curl-7.49.1/lib/
Check to see if you are receiving the error: Couldn't open certdata.txt: No such file or directory at ./mk-ca-bundle.pl line 126.
.
If this is the case, open the script and look for the release url for certdata.
Get the certdata file and place it in the same directory as the ./mk-ca-bundle.pl
wget https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
Finally, run:
./mk-ca-bundle.pl
Don't forget to tell weechat where the new ca-bundle.crt is:
weechat: /set weechat.network.gnutls_ca_file = "~/.weechat/certs/ca-bundle.crt"
You may need to add this file to the ~/.weechat/weechat.conf
if it does not persist across sessions
@ElpsySec Thanks much for this
@ElpsySec thank you!
Setting /set weechat.network.gnutls_ca_file "/usr/local/etc/openssl/cert.pem"
as in WeeChat FAQ works for me. Homebrew OpenSSL Caveats says:
==> Caveats
A CA file has been bootstrapped using certificates from the SystemRoots
keychain. To add additional certificates (e.g. the certificates added in
the System keychain), place .pem files in
/usr/local/etc/openssl/certs
and run
/usr/local/opt/openssl/bin/c_rehash
This formula is keg-only, which means it was not symlinked into /usr/local,
because Apple has deprecated use of OpenSSL in favor of its own TLS and crypto libraries.
If you need to have this software first in your PATH run:
echo 'export PATH="/usr/local/opt/openssl/bin:$PATH"' >> ~/.zshrc
For compilers to find this software you may need to set:
LDFLAGS: -L/usr/local/opt/openssl/lib
CPPFLAGS: -I/usr/local/opt/openssl/include
For pkg-config to find this software you may need to set:
PKG_CONFIG_PATH: /usr/local/opt/openssl/lib/pkgconfig
Confirming that solution provided by @oblitum works. Many thanks!
Thank you for this. I've used it here...
flatheadmill/dotfiles@f2a25e1