Skip to main content

Peer certificate cannot be authenticated with known CA certificates

So, this bittorrent site switched to HTTP Secure. And in the name of HTTPS Everywhere I praise them for that. Yet my beloved rTorrent client seems to have a problem with that:

(15:17:33) Peer certificate cannot be authenticated with known CA certificates: 
    "https://torrents.thepiratebay.org/4224797/debian-slink-i386-binary.4224797.TPB.torrent"
Which is strange, my browsers don't have a problem with that. But cURL disagrees:
$ curl -I https://torrents.thepiratebay.org/
  curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
  error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Hm, what up with that? The browser shows "Equifax Secure Certificate Authority" and there are indeed Equifax certificates in /etc/ssl/certs. But apparently not the correct ones:
$ strace curl -I https://torrents.thepiratebay.org/ 2>&1 | grep etc/ssl
stat64("/etc/ssl/certs/2f2c2f7c.0", 0xbf8e2148) = -1 ENOENT (No such file or directory)
So, cURL is looking for a certificate with the hash of 2f2c2f7c. Of course, we cannot construct the correct certificate just with that hash. But we can search for it :-)

Looking around, we find something like this. OK, the hash matches. But where's the certificate from? Searching a bit more brings us to "GeoTrust Intermediate CA Certificates for Rapid SSL". Extracting the GeoTrust Rapid SSL Primary Intermediate CA Certificate we can see:
$ openssl x509 -hash -fingerprint -noout -in geotrust_ca_rapid_ssl.crt 
2f2c2f7c
SHA1 Fingerprint=C0:39:A3:26:9E:E4:B8:E8:2D:00:C5:3F:A7:97:B5:A1:9E:83:6F:47
The hash matches ;-) We'll now move it to our default certificate store and run c_rehash to generate the correct symlink:
$ sudo mv geotrust_ca_rapid_ssl.crt /etc/ssl/certs/
$ sudo c_rehash /etc/ssl/certs
[...]
geotrust_ca_rapid_ssl.crt => 2f2c2f7c.0
Now cURL works fine:
$ curl -I https://torrents.thepiratebay.org/
HTTP/1.1 200 OK
Content-Type: text/html
ETag: "1070355883"
Last-Modified: Tue, 10 Nov 2009 11:25:43 GMT
Expires: Thu, 08 Sep 2011 11:22:36 GMT
Cache-Control: max-age=172800
Server: lighttpd
Content-Length: 5
Date: Tue, 06 Sep 2011 23:12:32 GMT
X-Varnish: 1297278148 1293045530
Age: 42648
Via: 1.1 varnish
Connection: keep-alive
...and so does rTorrent :-)

However, the question remains how trustworthy this GeoTrust Rapid SSL Primary Intermediate CA Certificate really is. You may feel more comfortable to just add the site's certificate to the certificate store (and not the whole CA):
$ echo | openssl s_client -connect www.thepiratebay.org:443 2>/dev/null | \
   sed -n '/BEGIN/,/END/p'  > tpb.crt
$ sudo mv tpb.crt /etc/ssl/certs
$ sudo c_rehash /etc/ssl/certs