Fixing SSL CA certificates with OpenSSL from MacPorts
If you’ve installed OpenSSL from MacPorts (or anything that depends on it), you’ve probably come across issues with verifying SSL certificates in applications built against it.
ben@spud:~$ lftp firstname.lastname@example.org Fatal error: SSL_connect: unable to get local issuer certificate
ben@spud:~$ openssl s_client -connect ftp.library.gb1.brightbox.com:21 -starttls ftp -CApath /opt/local/etc/openssl/ CONNECTED(00000003) depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify error:num=20:unable to get local issuer certificate verify return:0
That’s because MacPorts doesn’t provide a CA root certificate bundle package (such as the
ca-certificates Ubuntu package) and in its default configuration the
openssl package can’t talk to the OS X keychain, where the system CA certificates are kept.
sudo port install curl-ca-bundle
Then symlink the bundle into
/opt/local/etc/openssl, the default CApath for MacPorts-installed OpenSSL.
sudo ln -s /opt/local/share/curl/curl-ca-bundle.crt /opt/local/etc/openssl/cert.pem
EDIT: As one commenter noted, the above step is no longer necessary. MacPorts’
curl-ca-bundle @7.24.0 now creates the symlink during installation.
Voilà, working CA cert verification!
ben@spud:~$ openssl s_client -connect ftp.library.gb1.brightbox.com:21 -starttls ftp -CApath /opt/local/etc/openssl/ CONNECTED(00000003) depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority verify return:1 depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify return:1 depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA verify return:1 depth=0 serialNumber = FIUwKm3apULSSy7J9sGT8i0NxIprVlhV, C = GB, O = ftp.library.gb1.brightbox.com, OU = GT02477604, OU = See www.rapidssl.com/resources/cps (c)11, OU = Domain Control Validated - RapidSSL(R), CN = ftp.library.gb1.brightbox.com verify return:1