At least as far back as R2016b, Matlab's version of libcurl points to /etc/ssl/certs/ca-certificates.crt for the Certificate Authority (CA) bundle for verifying host certificates. The problem is that this file does not exist on RHEL/CentOS 6/7 or Fedora Core machines (and likely other Linux distros). Therefore, any system executable linked to libcurl will fail on any https URL when run from inside Matlab with unix() or system(). I have found several workarounds but I'm wondering if I'm missing a better/more obvious one.
The most general and robust one I came up with (at least back to R2016b) is setting the environment variable SSL_CERT_FILE to the appropriate CA bundle file on the system, which in my case is /etct/ssl/certs/ca-bundle.crt, before opening Matlab. It should be noted that I only stumbled on this option in the "MATLAB Production Server" security docs:
https://www.mathworks.com/help/mps/server/x509usesystemstore.html
Other successful workarounds:
- Create a symlink named ca-certificates.crt pointing to ca-bundle.crt in /etc/ssl/certs. This runs the risk of getting deleted during system updates.
- Replace Matlab's libcurl with the libcurl from the system. This runs the risk of breaking something else inside Matlab.
- Unset the LD_LIBRARY_PATH in the same unix() call (i.e. unix('export -n LD_LIBRARY_PATH;/usr/bin/curl https://host.com') ). It should be noted that this works all the way back to at least 2012 or whenever libcurl started shipping with Matlab. Between ~R2012 and ~R2015 the libcurl that shipped with Matlab was not built with SSL support. Before Matlab shipped with libcurl there was no issue using these commands as long as the system's curl was built with SSL support.
- Tell curl to connect without validating certificates: unix('/usr/bin/curl -k https://host.com'). This allows an unvalidated connect so it's encrypted but not necessarily secure and not every application that's linked to libcurl has a flag like this.
- Explicitly tell curl where the correct CA bundle is: unix('/usr/bin/curl --cacert /etct/ssl/certs/ca-bundle.crt https://host.com'). Not every application that's linked to libcurl has the option to set the CA bundle file location.
I admit that I did very little searching in the Matlab preferences for another solution because normally we use this kind of procedure in a cron job starting Matlab unattended.
To repoduce the error I'm getting:
fail=unix('/usr/bin/curl -v https://www.mathworks.com --output /tmp/junk')
* Rebuilt URL to: https://www.mathworks.com/
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 104.107.16.196...
* TCP_NODELAY set
* Connected to www.mathworks.com (104.107.16.196) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* error setting certificate verify locations:
CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
* Closing connection 0
curl: (77) error setting certificate verify locations:
CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
fail =
77
