If you’ve installed OpenSSL from MacPorts (or anything that depends on it), you’ve probably come across issues with verifying SSL certificates in applications built against it.
ben@spud:~$ lftp firstname.lastname@example.org Fatal error: SSL_connect: unable to get local issuer certificate
ben@spud:~$ openssl s_client -connect ftp.library.gb1.brightbox.com:21 -starttls ftp -CApath /opt/local/etc/openssl/ CONNECTED(00000003) depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify error:num=20:unable to get local issuer certificate verify return:0
That’s because MacPorts doesn’t provide a CA root certificate bundle package (such as the
ca-certificates Ubuntu package) and in its default configuration the
openssl package can’t talk to the OS X keychain, where the system CA certificates are kept.
sudo port install curl-ca-bundle
Then symlink the bundle into
/opt/local/etc/openssl, the default CApath for MacPorts-installed OpenSSL.
sudo ln -s /opt/local/share/curl/curl-ca-bundle.crt /opt/local/etc/openssl/cert.pem
EDIT: The above step is no longer necessary. MacPorts’
curl-ca-bundle @7.24.0 now creates the symlink during installation.
Voilà, working CA cert verification!
ben@spud:~$ openssl s_client -connect ftp.library.gb1.brightbox.com:21 -starttls ftp -CApath /opt/local/etc/openssl/ CONNECTED(00000003) depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority verify return:1 depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify return:1 depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA verify return:1 depth=0 serialNumber = FIUwKm3apULSSy7J9sGT8i0NxIprVlhV, C = GB, O = ftp.library.gb1.brightbox.com, OU = GT02477604, OU = See www.rapidssl.com/resources/cps (c)11, OU = Domain Control Validated - RapidSSL(R), CN = ftp.library.gb1.brightbox.com verify return:1