Instantly share code, notes, and snippets.

Embed
What would you like to do?
How to securely acquire the Mozilla root certificate bundle for use with curl, Net::HTTP, etc.

If you want to use curl or net-http/open-uri to access https resources, you will often (always?) get an error, because they don't have the large number of root certificates installed that web browsers have.

You can manually install the root certs, but first you have to get them from somewhere. This article gives a nice description of how to do that. The source of the cert files it points to is hosted by the curl project, who kindly provide it in the .pem format.

problem: Sadly, ironically, and comically, it's not possible to access that file via https! Luckily, the awesome curl project does provide us with the script that they use to produce the file, so we can do it securely ourselves. Here's how.

  1. git clone https://github.com/bagder/curl.git

  2. cd curl/lib

  3. edit mk-ca-bundle.pl and change:

    my $url = 'http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1';

    to

    my $url = 'https://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1';

    (change http to https)

  4. ./mk-ca-bundle.pl

Ta da!

@lech7

This comment has been minimized.

Show comment
Hide comment
@lech7

lech7 Oct 18, 2012

Yes, that is quite ironic and I'm glad I was not the only one to see the irony and that I came across this post quickly enough (I could easily see myself scouring the internet obsessively looking for the answer).

Thank you for providing a solution. And I'm sure we can write a script from it and run it in a cronjob for automatic updates of the CA bundle.

As great as all of the Linux tools are, I'm a bit surprised that they often seem to miss something obvious (like auto update for the CA bundle) that complicates things, but then maybe I just don't understand.

Thanks again.

lech7 commented Oct 18, 2012

Yes, that is quite ironic and I'm glad I was not the only one to see the irony and that I came across this post quickly enough (I could easily see myself scouring the internet obsessively looking for the answer).

Thank you for providing a solution. And I'm sure we can write a script from it and run it in a cronjob for automatic updates of the CA bundle.

As great as all of the Linux tools are, I'm a bit surprised that they often seem to miss something obvious (like auto update for the CA bundle) that complicates things, but then maybe I just don't understand.

Thanks again.

@viniciusgati

This comment has been minimized.

Show comment
Hide comment
@viniciusgati

viniciusgati Feb 25, 2013

./mk-ca-bundle.pl
Downloading 'certdata.txt' ...
Unable to download latest data: 500 - Can't verify SSL peers without knowning which Certificate Authorities to trust

viniciusgati commented Feb 25, 2013

./mk-ca-bundle.pl
Downloading 'certdata.txt' ...
Unable to download latest data: 500 - Can't verify SSL peers without knowning which Certificate Authorities to trust

@unimatrixZxero

This comment has been minimized.

Show comment
Hide comment
@unimatrixZxero

unimatrixZxero Apr 16, 2013

I get the same message.

unimatrixZxero commented Apr 16, 2013

I get the same message.

@nfirvine

This comment has been minimized.

Show comment
Hide comment
@nfirvine

nfirvine Oct 15, 2015

And why do you think that is? There's basically no point in fetching over SSL if you can't tell who you're talking to.

http://research.zscaler.com/2008/10/ssl-encryption-without-authentication.html

nfirvine commented Oct 15, 2015

And why do you think that is? There's basically no point in fetching over SSL if you can't tell who you're talking to.

http://research.zscaler.com/2008/10/ssl-encryption-without-authentication.html

@jocutajar

This comment has been minimized.

Show comment
Hide comment
@jocutajar

jocutajar Jun 22, 2016

The mozilla cert could be fingerprinted or included in the software so that other certs can be downloaded securely.

jocutajar commented Jun 22, 2016

The mozilla cert could be fingerprinted or included in the software so that other certs can be downloaded securely.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment