Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

cUrl with mutual authentication

Tags:

curl

ssl-certificate

mutual-authentication

I am trying to do a cUrl to a 3rd party server. They provided me with a p12 file which I installed in my browser. When using the browser I get a response from the server. When doing a cUrl from the linux terminal I get handshake errors.

I extracted the .p12 to a key and cert and then I run the following command:

curl --key client.key --cert client.crt -X GET -v https://x.x.x.x:xxxx/folder/endpoint

And get the following reply:

Note: Unnecessary use of -X or --request, GET is already inferred.
*   Trying x.x.x.x...
* TCP_NODELAY set
* Connected to x.x.x.x (x.x.x.x) port xxxx (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* stopped the pause stream!
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Do I need to add a self-signed certificate somewhere? I feel like I am missing something. As said earlier, it works from my browser where the cert was imported so I am certain that there is not an issue with their cert. I know I am missing something.

Thanks,

like image 868
Owen Nel Avatar asked Feb 19 '26 04:02

Owen Nel

2 Answers

Yes you need to add --cacert option to the curl command if you have it downloaded or a self-signed certificate (in my case)

curl --key client.key --cert client.crt --cacert bundle.pem -X GET -v https://x.x.x.x:xxxx/folder/endpoint

The bundle.pem has the server.crt and rootCA.crt.

cat server.crt rootCA.crt >> bundle.pem

like image 176
san1512 Avatar answered Feb 22 '26 02:02

san1512

Your error message is :

unable to get local issuer certificate

That means curl is unable to find the certificate of the issuer (the CA who sign the server certificate) from the trust store :

/etc/ssl/certs/ca-certificates.crt

All you have to do is download the CA certificate and add it to the trust store.

like image 26
Minh-Triet LÊ Avatar answered Feb 22 '26 01:02

Minh-Triet LÊ
Sign in to Comment

Related questions

Get usable array from a curl response, which is formatted as a php array
SkyScanner API error when called by PHP
Yii framework 1.1 get the http request Header in Controller action

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!