Package: curl Version: 7.64.0-4 Uname: Linux d2c5e376a123 4.9.0-3-amd64 #1 SMP Debian 4.9.30-2+deb9u5 (2017-09-19) x86_64 GNU/Linux
The cUrl into buster are compiled without the "--with-ca-bundle" option which permit to use custom ca-certificates. Here is the diff between stretch and buster: --- curl-conf-stretch.txt 2020-01-08 17:45:41.425819210 +0100 +++ curl-conf-buster.txt 2020-01-08 17:47:46.665051373 +0100 @@ -9,8 +9,7 @@ '--disable-silent-rules' '--libdir=/usr/lib/'`dpkg-architecture -qDEB_HOST_MULTIARCH` -'--libexecdir=/usr/lib/'`dpkg-architecture --qDEB_HOST_MULTIARCH` +'--runstatedir=/run' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-symbol-hiding' @@ -18,17 +17,16 @@ '--enable-threaded-resolver' '--with-lber-lib=lber' '--with-gssapi=/usr' +'--with-libssh2' '--with-nghttp2' '--includedir=/usr/include/'`dpkg-architecture -qDEB_HOST_MULTIARCH` '--with-zsh-functions-dir=/usr/share/zsh/vendor-completions' '--with-ca-path=/etc/ssl/certs' -'--with-ca-bundle=/etc/ssl/certs/ca-certificates.crt' 'build_alias='`dpkg-architecture -qDEB_BUILD_GNU_TYPE` 'CFLAGS=-g -O2 --fdebug-prefix-map=/build/curl-jN7SFf/curl-7.52.1=. -fstack-protector-strong -Wformat -Werror=format-security' As you can see, the "--with-ca-bundle=/etc/ssl/certs/ca-certificates.crt" as been removed from buster. Then, adding a new certificate, executing update-ca-certificates as no effect... neither curl itself, neither using curl through python. The workaround for setuptools is to use these envars (cf https://github.com/pypa/setuptools/issues/1630 ): - CURL_CA_BUNDLE - REQUESTS_CA_BUNDLE - SSL_CERT_FILE It's easy to see the differences by using docker (debian:stretch-slim debian:buster-slim). You can try these commands: apt-get update && apt-get install -y curl libcurl4-openssl-dev && curl-config --configure -- Perron Nicolas PGP KeyID: 80A84BAB <http://keys.gnupg.net/pks/lookup?op=get&search=0x04AF6C5A80A84BAB> Keybase: kelindil_fr
