Getting certificate error while using Curl for the satellites list

Developer Discussions troubleshooting
1

Hi Alexey,

I hope you are doing awesome as always :slight_smile:

  curl -X POST "https://www.storj.io/dcs-satellites" -F title="Sat list"
curl: (35) schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.

Please correct me if I am wrong but does this error occur when CA servers are being contacted to check SSL certificate validity ?

I was able to overcome this error by using --ssl-no-revoke. I want to create an issue on github but I also want to learn what is causing it.

2

Hi,
Why do you use curl -X POST instead of GET?

By the way, the certificate is shown as valid.

3

I am using it in my PS script. Even with GET I get the following result.

 curl  "https://www.storj.io/dcs-satellites"
curl: (35) schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.
4

Thank you for providing more info.
I have tried this command myself, no errors

$ curl  "https://www.storj.io/dcs-satellites"
12EayRS2V1kEsWESU9QMRseFhdxYxKicsiFmxrsLZHeLUtdps3S@us1.storj.io:7777
12L9ZFwhzVpuEKMUNUqkaTLGzwY9G24tbiigLiXpmZWKwmcNDDs@eu1.storj.io:7777
121RTSDpyNZVcEU84Ticf2L1ntiuUimbWgfATz21tuvgk3vzoA6@ap1.storj.io:7777
1wFTAgs9DP5RSnCqKV1eLf6N9wtk4EAtmN5DpSxcs8EjT69tGE@saltlake.tardigrade.io:7777
12rfG3sh9NCWiX3ivPjq2HtdLmbqCrvHVEzJubnzFzosMuawymB@europe-north-1.tardigrade.io:7777
12tRQrMTWUWwzwGh18i7Fqs67kmdhH9t6aToeiwbo5mfS2rUmo@us2.storj.io:7777

So looks like a local problem - you need to update ca-certificates package on your host OS

P.S. I even used WSL

5

Please try

curl http://crls.pki.goog/gts1d4/BDUW5cT_UVM.crl --output crl.Der
6

Result

curl http://crls.pki.goog/gts1d4/BDUW5cT_UVM.crl --output crl.Der
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  138k  100  138k    0     0   524k      0 --:--:-- --:--:-- --:--:--  527k

:point_up: what did this command do ?

I have updated curl to latest version 7.87 it still gives this error

curl.exe  "https://www.storj.io/dcs-satellites"
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

It works perfectly on WSL2

Also tried using --capath, --with-ca-bundle flags resulting in

 curl.exe --capath "D:\CAupdate\cacert.pem" "https://www.storj.io/dcs-satellites"
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

1 article suggested to update all certificates by creating roots.sst but it showed adding 440+ certificates. Many of them were expired so I decided to not follow it. Certmgr showed I have 94 certificates.

Another trial and error method.

curl.exe --capath C:\Windows\System32\curl-ca-bundle.crt "https://www.storj.io/dcs-satellites"
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
7

downloaded this certificate.
So the problem is reproduced in Windows, right?

The wsl2 is a light VM and the used Linux distro inside it has all root certificates updated, thus no problems in wsl2.

PS C:\Users\Alex> curl.exe "https://www.storj.io/dcs-satellites"
12EayRS2V1kEsWESU9QMRseFhdxYxKicsiFmxrsLZHeLUtdps3S@us1.storj.io:7777
12L9ZFwhzVpuEKMUNUqkaTLGzwY9G24tbiigLiXpmZWKwmcNDDs@eu1.storj.io:7777
121RTSDpyNZVcEU84Ticf2L1ntiuUimbWgfATz21tuvgk3vzoA6@ap1.storj.io:7777
1wFTAgs9DP5RSnCqKV1eLf6N9wtk4EAtmN5DpSxcs8EjT69tGE@saltlake.tardigrade.io:7777
12rfG3sh9NCWiX3ivPjq2HtdLmbqCrvHVEzJubnzFzosMuawymB@europe-north-1.tardigrade.io:7777
12tRQrMTWUWwzwGh18i7Fqs67kmdhH9t6aToeiwbo5mfS2rUmo@us2.storj.io:7777

So for me it look like a problem with your Windows, may be it requires update?
My version is

PS C:\Users\Alex> systeminfo.exe

Host Name:                 DESKTOP-AHBSDQ
OS Name:                   Microsoft Windows 10 Pro
OS Version:                10.0.19045 N/A Build 19045
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
...
8

I downloaded the SSL www.storj.io.crt from dcs page and installed the cert. It gives the same error message.

Our system info matches so I am updating Windows as of now.

What could have caused curl to start showing that message when everything was working fine ? I noticed it when my PS script started showing odd error messages.

9

Usually it’s related to the not updated root certificates or something is trying to intercept requests and substitute the certificate with a malicious one to be able to decrypt all your SSL traffic too.

If this is related to not updated certificates, then you need to install the root certificate from our issuer - Google Trust Services LLC:

image
image683×836 13.7 KB

You need to install the GTS Root R1 and GTS CA 1D4 certificates in the Root Certificates Authorities folder in the certificate manager for the machine, not for the user or personal (unless you run your commands only as your user, not as an administrator or as a system user).

1 Like
10

image

image

Should I still proceed to add these ? Why can’t it validate when its from Google ?

11

Because your system has outdated certificates or may be missed ones from Google.
You should install them in this sequence:

  1. Root Certificate
  2. Chain Certificate
1 Like
12

I added them in the order you suggested. Here is what I noticed after sorting all certs based on expiration date.

image
image1152×311 13.7 KB

Google certs are shown like this

image
image988×80 2.52 KB

The error still persists.

14

Can you try running the curl command with -v to get more output?

15 
 curl -v "https://www.storj.io/dcs-satellites"
*   Trying 34.120.119.150:443...
* Connected to www.storj.io (34.120.119.150) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
*  CAfile: c:\windows\system32\curl-ca-bundle.crt
*  CApath: none
* [CONN-0-0][CF-SSL] TLSv1.0 (OUT), TLS header, Certificate Status (22):
* [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS handshake, Client hello (1):
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Certificate Status (22):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Server hello (2):
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Finished (20):
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23):
* [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Certificate (11):
* [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS header, Unknown (21):
* [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
16

It looks like it still doesn’t recognise the CA given the error output. Hmm…

What is the output of this command? curl -V?

17 
curl -V
curl 7.87.0 (x86_64-w64-mingw32) libcurl/7.87.0 OpenSSL/3.0.8 (Schannel) zlib/1.2.13 brotli/1.0.9 zstd/1.5.4 WinIDN libssh2/1.10.0 nghttp2/1.51.0 ngtcp2/0.13.1 nghttp3/0.8.0 libgsasl/2.2.0
Release-Date: 2022-12-21
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp ws wss
Features: alt-svc AsynchDNS brotli gsasl HSTS HTTP2 HTTP3 HTTPS-proxy IDN IPv6 Kerberos Largefile libz MultiSSL NTLM SPNEGO SSL SSPI threadsafe TLS-SRP UnixSockets zstd
18

hm,

> curl.exe -V
curl 7.83.1 (Windows) libcurl/7.83.1 Schannel
Release-Date: 2022-05-13
Protocols: dict file ftp ftps http https imap imaps pop3 pop3s smtp smtps telnet tftp
Features: AsynchDNS HSTS IPv6 Kerberos Largefile NTLM SPNEGO SSL SSPI UnixSockets
19

Since it’s compiled with Schannel, it should use the built-in certificate store of Windows, according to curl - SSL CA Certificates. I think either the certificate may not be loaded as the right user, or there is still something missing…

20

I have been using the same Windows user before the error showed up. I wonder why it suddenly stopped loading the certificate. How do I fix this ?

I tested these on another Windows computer with latest Windows update. I suspect it might be some Windows update that broke this.

curl -V
curl 7.83.1 (Windows) libcurl/7.83.1 Schannel
Release-Date: 2022-05-13
Protocols: dict file ftp ftps http https imap imaps pop3 pop3s smtp smtps telnet tftp
Features: AsynchDNS HSTS IPv6 Kerberos Largefile NTLM SPNEGO SSL SSPI UnixSockets

curl -v "https://www.storj.io/dcs-satellites"
*   Trying 34.120.119.150:443...
* Connected to www.storj.io (34.120.119.150) port 443 (#0)
* schannel: disabled automatic use of client certificate
* ALPN: offers http/1.1
* schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.
* Closing connection 0
curl: (35) schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.