Skip to content

Instantly share code, notes, and snippets.

@jjb
Created May 27, 2011 22:11
Show Gist options
  • Save jjb/996292 to your computer and use it in GitHub Desktop.
Save jjb/996292 to your computer and use it in GitHub Desktop.
How to securely acquire the Mozilla root certificate bundle for use with curl, Net::HTTP, etc.

If you want to use curl or net-http/open-uri to access https resources, you will often (always?) get an error, because they don't have the large number of root certificates installed that web browsers have.

You can manually install the root certs, but first you have to get them from somewhere. This article gives a nice description of how to do that. The source of the cert files it points to is hosted by the curl project, who kindly provide it in the .pem format.

problem: Sadly, ironically, and comically, it's not possible to access that file via https! Luckily, the awesome curl project does provide us with the script that they use to produce the file, so we can do it securely ourselves. Here's how.

  1. git clone https://github.com/bagder/curl.git

  2. cd curl/lib

  3. edit mk-ca-bundle.pl and change:

    my $url = 'http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1';

    to

    my $url = 'https://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1';

    (change http to https)

  4. ./mk-ca-bundle.pl

Ta da!

@unimatrixZxero
Copy link

I get the same message.

@nfirvine
Copy link

And why do you think that is? There's basically no point in fetching over SSL if you can't tell who you're talking to.

http://research.zscaler.com/2008/10/ssl-encryption-without-authentication.html

@jocutajar
Copy link

The mozilla cert could be fingerprinted or included in the software so that other certs can be downloaded securely.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment