Skip to content

Instantly share code, notes, and snippets.

@jjb

jjb/gist:996292

Created May 27, 2011 22:11
Show Gist options
  • Save jjb/996292 to your computer and use it in GitHub Desktop.
Save jjb/996292 to your computer and use it in GitHub Desktop.
Download ZIP
How to securely acquire the Mozilla root certificate bundle for use with curl, Net::HTTP, etc.
Raw
gistfile1.md

If you want to use curl or net-http/open-uri to access https resources, you will often (always?) get an error, because they don't have the large number of root certificates installed that web browsers have.

You can manually install the root certs, but first you have to get them from somewhere. This article gives a nice description of how to do that. The source of the cert files it points to is hosted by the curl project, who kindly provide it in the .pem format.

problem: Sadly, ironically, and comically, it's not possible to access that file via https! Luckily, the awesome curl project does provide us with the script that they use to produce the file, so we can do it securely ourselves. Here's how.

  1. git clone https://github.com/bagder/curl.git

  2. cd curl/lib

  3. edit mk-ca-bundle.pl and change:

    my $url = 'http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1';

    to

    my $url = 'https://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1';

    (change http to https)

  4. ./mk-ca-bundle.pl

Ta da!

@anonyco
Copy link

anonyco commented Dec 31, 2024

The mozilla cert could be fingerprinted or included in the software so that other certs can be downloaded securely.

The idea is that you update your SSL root CAs regularly enough (at least once every 5 years is enough; once every month is prefered) to get the newly issued root CAs that will carry you far into the future using your existing soon-to-expire root CAs, thus perpetually bunny-hopping every 20-40 years or so from each iteration of each root CA.

If you have invalid SSL certificates or are trying to generate SSL certficates to bootstrap TLS in automated computer setup, then you're doing things wrong. Just flat out wrong! You should bundle the latest root CAs with all your deployment platforms and use ci/cd to keep them regularly updated so fresh installs receive a fresh root CA package ready-to-go.

If you can't do that for whatever reason, then the next best option is to rely on the GNU GPG keyring signed by Canonical or Redhat or whatever your favorite flavour of Linux icecream is. Update the package lists and install ca-certificates via plain insecure HTTP using any modern package manager, and the downloaded packages will be verified against a hashsum in a package list file whose checksum is GPG signed to guarentee perfect security. THEN you can use HTTPS / TLS safe and securely.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment