Curl command for https ( SSL )

Question

I am trying to run the following CURL command but I am getting a SSL Certificate error:

curl https://example.com:8443/cli/agentCLI -u username:password

Error:

curl: (60) SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). The default bundle is named curl-ca-bundle.crt; you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.

How would I fix this issue to allow for SSL URLs?

Answer 1

if you're using a self signed certificate on the server, you can use:

curl -k https://example.com:8443/cli/agentCLI -u username:password

but be aware that then it's no better than using non SSL connection to the server, as your communication won't be secure anymore, enabling all sorts of man in the middle attacks.

Though my advice to you is to download the .pem from the server:

• that is usually found in /etc/ssl/ if you have access to the server,
• or that you can download,

using:

echo "HEAD / HTTP/1.0\n Host: example.com\n\n EOT\n" | openssl s_client -prexit -connect example.com:8443 > cert.pem

to your computer, keep only the part between BEGIN CERTIFICATE and END CERTIFICATE within the file (including the BEGIN/END lines) and give it as parameter to the --cacert option, you might also download it. Then you'll get to authenticate your server each time you connect!

curl --cacert cert.pem https://example.com:8443/cli/agentCLI -u username:password

---

Testing on my own self-signed server, it's working fine:

% openssl s_client -showcerts -connect example.com:443 </dev/null 2>/dev/null | sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' | grep -m1 -B-1 -- '-----END CERTIFICATE-----'  > cert.pem
% curl --cacert cert.pem https://example.com

---

for an example that should be working:

% openssl s_client -showcerts -connect git.cryptolib.org:443 </dev/null 2>/dev/null | sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' | grep -m1 -B-1 -- '-----END CERTIFICATE-----'  > cert.pem
% curl --cacert cert.pem https://git.cryptolib.org
curl: (51) SSL: certificate verification failed (result: 5)

but sadly it's not.

I also tried to do, as suggested here:

% openssl x509 -inform PEM -in cert.pem -text -out certdata.pem
% curl --cacert certdata.pem https://git.cryptolib.org

Which is not working, because that site (git.cryptolib.org) I'm using for testing is not self-signed, but it's from the CACert chain, which can be solved by using the CACert root certificates, following this FAQ.

---

a few resources to dig:

• http://curl.haxx.se/docs/sslcerts.html
• http://curl.haxx.se/mail/archive-2012-01/0049.html
• https://turboflash.wordpress.com/2009/06/23/curl-adding-installing-trusting-new-self-signed-certificate/
• http://curl.haxx.se/docs/caextract.html
• curl self-signed certificate web service over SSL

But no definitive answer so far :-s