newspaint

Documenting Problems That Were Difficult To Find The Answer To

Perl LWP or Mechanize Certificate Verify Failed

The Problem

Sometimes SSL certificates are not valid because the domain in the certificate does not match the domain of the URL being fetched.

The following example script demonstrates this with WWW::Mechanize (although the issue is the same with LWP::UserAgent and the fix is also the same):

#!/usr/bin/perl -w

use WWW::Mechanize;
use strict;

my $ua = WWW::Mechanize->new();
my $resp = $ua->get( "https://ccc.de/" );
if ( ! $resp->is_success ) {
    die( "Failed to fetch: " . $resp->status_line );
}
print( "Fetched\n" );

When run the following output is produced:

Error GETing https://ccc.de/: Can't connect to ccc.de:443 (certificate verify failed) at /tmp/test.pl line 7

When using LWP::UserAgent instead of WWW::Mechanize the error message is very similar:

Failed to fetch: 500 Can't connect to ccc.de:443 (certificate verify failed) at /tmp/test.pl line 9.

The Solution

The quick-and-dirty fix was documented on this blog post: set the verify_hostname flag to zero using the ssl_opts() function – as shown in the updated script:

#!/usr/bin/perl -w

use WWW::Mechanize;
use strict;

my $ua = WWW::Mechanize->new();
$ua->ssl_opts( 'verify_hostname' => 0 );
my $resp = $ua->get( "https://ccc.de/" );
if ( ! $resp->is_success ) {
    die( "Failed to fetch: " . $resp->status_line );
}
print( "Fetched\n" );

Note that the more correct solution is to tell Perl what certificates are valid and acceptable – this is a lot more work but necessary if you want your script to be more secure.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: