I'm migrating a script from 5.10.0 to 5.14.0 and a GET on a secure web server fails with "certificate verify failed" even though I know the site has a valid certificate:
use LWP::UserAgent; use strict; use warnings; my $ua = LWP::UserAgent->new; my $req = HTTP::Request->new(GET => 'https://www.easysoft.com'); my $res = $ua->request($req); print $res->headers_as_string; print $res->content;
returns content fine in 5.10.0 and headers like this:
Connection: close Date: Thu, 16 Jun 2011 14:22:46 GMT Accept-Ranges: bytes Server: Apache/2.0.54 (Unix) mod_ssl/2.0.54 OpenSSL/0.9.7d mod_perl/1. +999.21 Perl/v5.8.6 Vary: Accept-Encoding Content-Type: text/html; charset=ISO-8859-1 Client-Date: Thu, 16 Jun 2011 14:22:22 GMT Client-Peer: 172.20.100.10:443 Client-Response-Num: 1 Client-SSL-Cert-Issuer: /C=US/O=Equifax/OU=Equifax Secure Certificate +Authority Client-SSL-Cert-Subject: /serialNumber=Paoxfx3blSdh6U20B0CULwa1WF0wpCX +i/C=GB/O=www.easysoft.com/OU=GT68879435/OU=See www.rapidssl.com/resou +rces/cps (c)10/OU=Domain Control Validated - RapidSSL(R)/CN=www.easys +oft.com Client-SSL-Cipher: DHE-RSA-AES256-SHA Client-SSL-Warning: Peer certificate not verified Client-Transfer-Encoding: chunked Content-Style-Type: text/css
Same code in 5.14.0 returns:
Content-Type: text/plain Client-Date: Thu, 16 Jun 2011 14:26:04 GMT Client-Warning: Internal response Can't connect to www.easysoft.com:443
and if I add $ENV{HTTPS_CA_FILE} = "/usr/share/ca-certificates/cacert.org/cacert.org.crt" to the script and run in 5.14.0 I get:
Content-Type: text/plain Client-Date: Thu, 16 Jun 2011 14:26:52 GMT Client-Warning: Internal response Can't connect to www.easysoft.com:443 (certificate verify failed) LWP::Protocol::https::Socket: SSL connect attempt failed with unknown +errorerror:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certific +ate verify failed at /home/martin/perl5/perlbrew/perls/perl-5.14.0/li +b/site_perl/5.14.0/LWP/Protocol/http.pm line 51.
I had a similar problem connecting to facebook which I was told would be resolved if I installed Mozilla::CA but I already had that installed. In the end I had to I copy the certificates and put them into a "certs" file then a simple "export HTTPS_CA_FILE=/home/martin/certs" made it work. Surely this is not correct.
This is just an example. I'm actually trying to connect to api.betfair.com but this has a valid certificate as well as verified in my browser but api.betfair.com does not return any content so I decided against using it in my example.
Any ideas?
UPDATE Should have mentioned perl 5.10.0 is system Perl on ubuntu and perl 5.14.0 is installed under perlbrew - just in case it makes a difference.
UPDATE2 HTTPS_DEBUG=1 produces output under 5.10.0 and nothing under 5.14.0.
UPDATE3 I had PERL_UNICODE=SAL and unsetting it fixes the problem.
Solution It appears I was missing intermediate certificate 0xeb99629b. Thanks to daxim for putting me on the right track. You can find the details at failed connect or “certificate verify failed” on LWP HTTPS GET
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |