This is likely a problem with OpenSSL and not curl but regardless I was
surprised to see :


europa$
europa$ curl -4 -L --url 'https://gitlab.com/' -o /dev/null
% Total % Received % Xferd Average Speed Time Time Time
Current
Dload Upload Total Spent Left
Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:--
0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
europa$

europa$ curl --version
curl 7.75.0 (x86_64-unknown-freebsd13.0) libcurl/7.75.0 OpenSSL/1.1.1k
zlib/1.2.11 libidn2/2.3.0 libssh2/1.9.0
Release-Date: 2021-02-03
Protocols: dict file ftp ftps gopher gophers http https imap imaps mqtt
pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS HTTPS-proxy IDN Largefile libz NTLM NTLM_WB
SSL TLS-SRP UnixSockets
europa$

So I looked into the location where the ssl certs "should" be given my
curl config :

$ ./configure --prefix=/opt/bw --disable-dependency-tracking \
--disable-silent-rules --without-gnu-ld --enable-shared \
--enable-static \
--with-libidn=/usr/local --with-libidn2=/usr/local \
--with-ssl=/opt/bw --with-ca-path=/opt/bw/ssl/certs \
--enable-tls-srp --with-libssh2

So I expect that the cacert.pem file at

https://curl.se/docs/caextract.html

would solve all my problems however :

europa$ ls -lapb /opt/bw/ssl/certs/
total 350
drwxr-xr-x 2 root wheel 3 Apr 8 02:35 ./
drwxr-xr-x 5 root wheel 9 Apr 7 00:14 ../
-rw-r--r-- 1 root wheel 208075 Jan 19 04:12 cacert.pem
europa$

This does not help at all and even OpenSSL seems confused.

So I try to debug this with the s_client sub-command and see something
obvious right away :


europa# /opt/bw/bin/openssl s_client -4 -showcerts -connect gitlab.com:443
CONNECTED(00000003)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST
Network, CN = USERTrust RSA Certification Authority
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo
Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 CN = gitlab.com
verify return:1
---
Certificate chain
0 s:CN = gitlab.com
i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited,
CN = Sectigo RSA Domain Validation Secure Server CA
-----BEGIN CERTIFICATE-----
MIIGBzCCBO+gAwIBAgIQP8Jvo234xjti44c2dq2FnDANBgkqhkiG9w0BAQsFADCB
jzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQD
.
.
.

etc etc etc

The "unable to get local issuer certificate" is the problem.

However the default FreeBSD system openssl here seems to have no issues:

CONNECTED(00000004)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST
Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo
Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 CN = gitlab.com
verify return:1
---
Certificate chain
0 s:CN = gitlab.com
i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited,
CN = Sectigo RSA Domain Validation Secure Server CA
-----BEGIN CERTIFICATE-----
MIIGBzCCBO+gAwIBAgIQP8Jvo234xjti44c2dq2FnDANBgkqhkiG9w0BAQsFADCB
jzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQD
.
.
.
etc etc etc

So there must be a problem with the location of the ssl certs or the
contents of that cacert.pem file. So I dump out all the contents :

openssl crl2pkcs7 -nocrl -certfile /opt/bw/ssl/certs/cacert.pem | \
openssl pkcs7 -print_certs -text > /var/tmp/dclarke/pile



I think the data I need is in there :

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
5c:8b:99:c5:5a:94:c5:d2:71:56:de:cd:89:80:cc:26
Signature Algorithm: ecdsa-with-SHA384
Issuer: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST
Network, CN=USERTrust ECC Certification Authority
Validity
Not Before: Feb 1 00:00:00 2010 GMT
Not After : Jan 18 23:59:59 2038 GMT
Subject: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST
Network, CN=USERTrust ECC Certification Authority
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
.
.
.etc etc etc


Also this :

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
01:fd:6d:30:fc:a3:ca:51:a8:1b:bc:64:0e:35:03:2d
Signature Algorithm: sha384WithRSAEncryption
Issuer: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST
Network, CN=USERTrust RSA Certification Authority
Validity
Not Before: Feb 1 00:00:00 2010 GMT
Not After : Jan 18 23:59:59 2038 GMT
Subject: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST
Network, CN=USERTrust RSA Certification Authority
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)


Those exact serial numbers also exist in the FreeBSD default cert pile :

europa$ ls -la /usr/share/certs/trusted/USERTrust_*
-r--r--r-- 1 root wheel 3238 Apr 4 03:34
/usr/share/certs/trusted/USERTrust_ECC_Certification_Authority.pem
-r--r--r-- 1 root wheel 7669 Apr 4 03:34
/usr/share/certs/trusted/USERTrust_RSA_Certification_Authority.pem
europa$

I checked them.

So I am baffled. What do I need in the SSL certs directory for both
OpenSSL and curl to be happy ? Is this an OpenSSL question and not
really a curl question ?