chrestomanci has asked for the wisdom of the Perl Monks concerning the following question:

Greetings wise brothers, I seek your advice on secret communication an how we can be sure we know who we are talking to.

Specifically, I am trying to get LWP::UserAgent running inside a locally compiled perlbrew install, to accept a corporate root cert.

At my company, IT have created a private SSL certificate keypair, and used it to sign the ssl certs on numerous internal servers. They also publish the public half of the SSL cert which (on ubuntu) I have installed in /etc/ssl/certs/ where it is accepted by system perl, firefox, wget etc.

For some reason the corporate public certificate is not accepted by a perlbrew install of perl 5.10 that I have compiled localy. Do I need to install the corporate root cert somewhere else for perlbrew to accept it?

Code to reproduce

use strict; use warnings; use XML::Simple; use LWP::UserAgent; use Data::Dumper; my $url = "https://--- REDACTED ----"; my $parser = new XML::Simple; my $ua = new LWP::UserAgent; # $ua->ssl_opts( verify_hostname => 0 ,SSL_verify_mode => 0x00); my $req = new HTTP::Request('GET', $url); my $resp = $ua->request($req); # print "Result from fetching $url : " . Dumper($resp); if( $resp->is_success() ){ # print "Result content: ". $resp->content; eval{ my $parsed_xml = $parser->XMLin($resp->content, ForceArray => +['publishedfile']); }; if( $@ ){ print "Error parsing XML: $@"; } else { print "File downloaded and XML parsed OK" } } else { die "Error fetching $url : ".$resp->message; }

This code works fine using Ubuntu's system perl on all the versions of Ubuntu I could find. It also works if I uncomment the $ua->ssl_opts( verify_hostname => 0 ,SSL_verify_mode => 0x00); line, But it fails on line 35 with  Can't connect to REDACTED:443 (certificate verify failed) at scripts/dev/test_ssl_download.pl line 35. if I use perlbrew perl.

Any ideas?

NB: I asked this question in chatterbox about an hour ago, but did not get a reply, so I am re-posting as a perl question.

Replies are listed 'Best First'.
Re: SSL certificate store for a Perlbrew install
by hippo (Chancellor) on Jan 14, 2021 at 17:12 UTC

    Have you tried setting SSL_ca_path as detailed in IO::Socket::SSL?

    I would also recommend use IO::Socket::SSL 'debug4'; during testing which might provide better diagnostics on what is really wrong.

    Note that you can view last hour of cb if you miss any replies to your chatterbox messages.


    🦛

Re: SSL certificate store for a Perlbrew install
by chrestomanci (Priest) on Jan 15, 2021 at 16:09 UTC

    I have done some investigation, and found a .pem file <c>/root/cluster/local/lib/perl5/Mozilla/CA/cacert.pem<c> that appears to have a large number of root certificates concatenated together, and the SSL_ca_file() function in the Mozilla::CA module.

    I tried converting my company root cert to .pem format and appending it to the end of cacert.pem file, but it did not fix the problem.

    The cacert.pem file full of certificates is also inconsistent with the fact that my company root cert is accepted without any special configuration on other Ubuntu machines that are running system perl.

      That's not what you're looking for. That's a concatenation of public "well-known root certificates," not your self-signed ones nor the certs needed to verify them.