Installing a new ca certificate for Perl 5.14.2 LWP on Ubuntu 12.04

Question

I am getting the following error trying to connect to a specific https website using LWP:

LWP::Protocol::https::Socket: SSL connect attempt failed with unknown errorerror:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed at /usr/local/share/perl/5.14.2/LWP/Protocol/http.pm line 51.

I tried with wget and got:

ERROR: cannot verify [domain]'s certificate, issued by `/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=********':
  Unable to locally verify the issuer's authority.

I googled around and discovered that I probably had to install the godaddy root ca cert. I figured out how to do that (download certificates, put in /usr/share/ca-certificates and run update-ca-certificates). I also learnt how to use openssl s_client in the process.

Now that the certificate is installed, wget works, but LWP still fails with the same error and so does openssl s_client:

# openssl s_client -connect [domain]:443
CONNECTED(00000003)
depth=0 O = [domain], OU = Domain Control Validated, CN = [domain]
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 O = [domain], OU = Domain Control Validated, CN = [domain]
verify error:num=27:certificate not trusted
verify return:1
depth=0 O = [domain], OU = Domain Control Validated, CN = [domain]
verify error:num=21:unable to verify the first certificate
verify return:1

I have no idea where to go next to get this working. Any suggestions?

---

EDIT: SOLVED Here is a simple script that describes what worked after mikew's suggestion:

#!/usr/bin/perl
use LWP::UserAgent;
$URL="[domain]";
my $ua = LWP::UserAgent->new(ssl_opts => { SSL_ca_path=>'/etc/ssl/certs'});
my $response = $ua->get($URL);

Answer 1

For a more specific answer, we'd need to know how you are instantiating your LWP object.

But what you probably need to know about is the SSL_ca_file and SSL_ca_path options for ssl_opts in the LWP constructor. Without one of these set, it assumes the Mozilla_CA is the CA to to use to verify websites.

See LWP::Protocol::https And LWP::UserAgent, ssl_opts constructor option.

If you are using something like lwp-download and not actually instantiating the LWP::UserAgent object yourself, then you need to set the PERL_LWP_SSL_CA_FILE environment variable to point to your certificate authority or set PERL_LWP_SSL_CA_PATH to your CA path. You can just set these instead of passing in to ssl_opts as well.

If you aren't particularly worried about doing all this verification and like to live dangerously, you can set verify_hostname => 0 for ssl_opts or set PERL_LWP_VERIFY_HOSTNAME environment variable to 0.

And as noted in the documentation, LWP 5.837 and earlier had verify_hostname off by default, whereas later versions default to it being on