https connection using CURL from command line

command-line certificate https ssl curl

I am new to Curl and Cacerts world and facing a problem while connecting to a server. Basically, I need to test connectivity over https from one machine to another machine. I have a URL to which I need to connect from Machine A (a linux machine) I tried this on command prompt

cmd> curl https://[my domain or IP address]

and got the following:

curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

On going through some articles over internet I did this:

openssl s_client -connect <domain name or Ip address>:443

and got some response including the server certificate (inside -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----).

What should I do next from here. I think, I will have to just copy paste the text inside BEGIN CERTIFICATE & END CERTIFICATE and save it in a file. But, What type of file it should be? .pem, .crt ?.. What should I be do after that?

I tried this - copied the text inside BEGIN CERTIFICATE & END CERTIFICATE and saved it in a .crt file - named it as my-ca.crt (also tried the same thing by naming it as my-ca.pem file) and then did this:

cmd>curl --cacert my-ca.crt https://[my domain or IP address]

But got the same error.


I had the same problem - I was fetching a page from my own site, which was served over HTTPS, but curl was giving the same "SSL certificate problem" message. I worked around it by adding a -k flag to the call to allow insecure connections.

curl -k https://whatever.com/script.php

Edit: I discovered the root of the problem. I was using an SSL certificate (from StartSSL, but I don't think that matters much) and hadn't set up the intermediate certificate properly. If you're having the same problem as user1270392 above, it's probably a good idea to test your SSL cert and fix any issues with it before resorting to the curl -k fix.


Simple solution

That's my everyday script:

curl --insecure -v https://www.google.com 2>&1 | awk 'BEGIN { cert=0 } /^\* Server certificate:/ { cert=1 } /^\*/ { if (cert) print }'

Output:

* Server certificate:
*    subject: C=US; ST=California; L=Mountain View; O=Google Inc; CN=www.google.com
*    start date: 2016-01-07 11:34:33 GMT
*    expire date: 2016-04-06 00:00:00 GMT
*    issuer: C=US; O=Google Inc; CN=Google Internet Authority G2
*    SSL certificate verify ok.
* Server GFE/2.0 is not blacklisted
* Connection #0 to host www.google.com left intact

You need to provide the entire certificate chain to curl, since curl no longer ships with any CA certs. Since the cacert option can only use one file, you need to concat the full chain info into 1 file

Copy the certificate chain (from your browser, for example) into DER encoded binary x.509(.cer). Do this for each cert.

Convert the certs into PEM, and concat them into 1 file. 

openssl x509 -inform DES -in file1.cer -out file1.pem -text
openssl x509 -inform DES -in file2.cer -out file2.pem -text
openssl x509 -inform DES -in file3.cer -out file3.pem -text

cat *.pem > certRepo

curl --cacert certRepo -u user:passwd -X GET -H 'Content-Type: application/json' "https//somesecureserver.com/rest/field"

I wrote a blog on how to do this here: http://javamemento.blogspot.no/2015/10/using-curl-with-ssl-cert-chain.html


use --cacert to specify a .crt file. ca-root-nss.crt for example.

Related

Automate ssh-keygen -t rsa so it does not ask for a passphrase
Amazon S3 - How to fix 'The request signature we calculated does not match the signature' error?
Email address is not verified (AWS SES)
How do I access Configuration in any class in ASP.NET Core?
XPath OR operator for different nodes
Difference between solr and lucene
Show SOME invisible/whitespace characters in Eclipse
Post an empty body to REST API via HttpClient
Javascript date.getYear() returns 111 in 2011? [duplicate]
LaTeX: Prevent line break in a span of text
How do I read the source code of shell commands?
How to join strings in Elixir?