#500 Problem with certificate on Debian Wheezy


I get the following error with esniper on Wheezy

error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

What should I do?


  • Bodo

    • labels: 1260807 -->
    • status: open --> pending
  • Bodo

    Please provide some more details or tell us if you found the problem.


  • Anonymous

    Also getting this error using Debian compiled esniper_2.25.0-1_i386.deb and compiled from CVS 2.25.0.

    robert@tower:~/tmp/CVS/esniper$ ./esniper 120747696925 5.5
    Auction 120747696925: Cannot connect to URL : Peer certificate cannot be authenticated with known CA certificates: SSL certificate problem, verify that the CA cert is OK. Details:
    error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    robert@tower:~/tmp/CVS/esniper$ ldd ./esniper
    linux-gate.so.1 => (0xb7773000)
    libcurl.so.4 => /usr/lib/libcurl.so.4 (0xb7703000)
    libc.so.6 => /lib/i686/cmov/libc.so.6 (0xb75a9000)
    libidn.so.11 => /usr/lib/libidn.so.11 (0xb7577000)
    libssh2.so.1 => /usr/lib/libssh2.so.1 (0xb7554000)
    liblber-2.4.so.2 => /usr/lib/liblber-2.4.so.2 (0xb7546000)
    libldap_r-2.4.so.2 => /usr/lib/libldap_r-2.4.so.2 (0xb74f6000)
    librt.so.1 => /lib/i686/cmov/librt.so.1 (0xb74ed000)
    libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0xb74b6000)
    libssl.so.1.0.0 => /usr/lib/i686/cmov/libssl.so.1.0.0 (0xb746e000)
    libcrypto.so.1.0.0 => /usr/lib/i686/cmov/libcrypto.so.1.0.0 (0xb72f4000)
    librtmp.so.0 => /usr/lib/librtmp.so.0 (0xb72de000)
    libz.so.1 => /usr/lib/libz.so.1 (0xb72ca000)
    libgnutls.so.26 => /usr/lib/libgnutls.so.26 (0xb722d000)
    /lib/ld-linux.so.2 (0xb7774000)
    libgcrypt.so.11 => /lib/libgcrypt.so.11 (0xb71b9000)
    libresolv.so.2 => /lib/i686/cmov/libresolv.so.2 (0xb71a5000)
    libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb718e000)
    libpthread.so.0 => /lib/i686/cmov/libpthread.so.0 (0xb7175000)
    libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0xb70be000)
    libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0xb7099000)
    libcom_err.so.2 => /lib/libcom_err.so.2 (0xb7096000)
    libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0xb708f000)
    libdl.so.2 => /lib/i686/cmov/libdl.so.2 (0xb708b000)
    libkeyutils.so.1 => /lib/libkeyutils.so.1 (0xb7087000)
    libtasn1.so.3 => /usr/lib/libtasn1.so.3 (0xb7077000)
    libgpg-error.so.0 => /lib/libgpg-error.so.0 (0xb7073000)
    robert@tower:~/tmp/CVS/esniper$ dpkg -l libc6 libcurl3 ca-certificates
    | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
    |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
    ||/ Name Version Description
    ii ca-certificates 20110421 Common CA certificates
    ii libc6 2.13-4 Embedded GNU C Library: Shared libraries
    ii libcurl3 7.21.6-1 Multi-protocol file transfer library (OpenSSL)

    Please let me know how I can help. Thanks.


  • Anonymous

    Can confirm that no errors are encountered when esniper CVS is compiled against libcurl4-gnutls-dev (7.21.6-3) instead of libcurl4-openssl-dev (7.21.6-1). Looks like there is a problem with libcurl4-openssl-dev (7.21.6-1) and the debian esniper maintainer is compiling with it.
    Thanks bomm for the link to debian Bug#624005.

    Last edit: Anonymous 2014-07-12
  • Bodo

    It might be possible to disable certificate verification in esniper's source code as a workaround.
    see http://curl.haxx.se/docs/sslcerts.html
    But esniper is working on many systems, so I think there is a problem with Debian's libcurl/openssl package/configuration or with the CA certificates used by openssl/curl. IMHO a proper fix should be applied to the library packages or the certificate bundle not to esniper.

  • Bodo

    • status: pending --> pending-wont-fix
  • The esniper seems to have a problem with peer verification since openssl 1.0.0. The previous version 0.9.8 was alright. I tested the verification with another program which uses openssl: lynx. It fails to verify the server, too. There is no problem with the CA certificates per se, because firefox (using nss) has no problem with the same url and certificate (signin.ebay.com) -- maybe the new openssl package does not look for the CA certs in the right location, but they are installed in /etc/ssl on my system.

    My system is Gentoo/Linux based and so I changed the USE flags accordingly to the remarks in other bug reports. Now, gnutls is used to compile curl and everything works fine. So: Works for me.

    I am going to report the issue upstream to openssl.org.