16

I am trying to run the following CURL command but I am getting a SSL Certificate error:

curl https://example.com:8443/cli/agentCLI -u username:password

Error:

curl: (60) SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). The default bundle is named curl-ca-bundle.crt; you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.

How would I fix this issue to allow for SSL URLs?

Improve this question
1

1 Answer 1

Reset to default
25

if you're using a self signed certificate on the server, you can use:

curl -k https://example.com:8443/cli/agentCLI -u username:password

but be aware that then it's no better than using non SSL connection to the server, as your communication won't be secure anymore, enabling all sorts of man in the middle attacks.

Though my advice to you is to download the .pem from the server:

using: 

echo "HEAD / HTTP/1.0\n Host: example.com\n\n EOT\n" | openssl s_client -prexit -connect example.com:8443 > cert.pem

to your computer, keep only the part between BEGIN CERTIFICATE and END CERTIFICATE within the file (including the BEGIN/END lines) and give it as parameter to the --cacert option, you might also download it. Then you'll get to authenticate your server each time you connect!

curl --cacert cert.pem https://example.com:8443/cli/agentCLI -u username:password

Testing on my own self-signed server, it's working fine:

% openssl s_client -showcerts -connect example.com:443 </dev/null 2>/dev/null | sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' | grep -m1 -B-1 -- '-----END CERTIFICATE-----'  > cert.pem
% curl --cacert cert.pem https://example.com

for an example that should be working:

% openssl s_client -showcerts -connect git.cryptolib.org:443 </dev/null 2>/dev/null | sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' | grep -m1 -B-1 -- '-----END CERTIFICATE-----'  > cert.pem
% curl --cacert cert.pem https://git.cryptolib.org
curl: (51) SSL: certificate verification failed (result: 5)

but sadly it's not.

I also tried to do, as suggested here:

% openssl x509 -inform PEM -in cert.pem -text -out certdata.pem
% curl --cacert certdata.pem https://git.cryptolib.org

Which is not working, because that site (git.cryptolib.org) I'm using for testing is not self-signed, but it's from the CACert chain, which can be solved by using the CACert root certificates, following this FAQ.

a few resources to dig:

But no definitive answer so far :-s

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Thanks Zmo..i have downloaded .pem by running of command echo "HEAD / HTTP/1.0\n Host: example.com\n\n EOT\n" | openssl s_client -prexit -connect example.com:8443 > cert.pem. But i m gettng same error when i m running second command which you gave here
Hi zmo..after downloaded cret.pem , i have run curl -k example.com:8443/cli/agentCLI -u user:pass .. Now i m getting output..Thanks.. But I got unreadable output ...Can you please tel me that how i ll get output like row..
curl -k is my first answer and is giving you insecure https connection to the server. It's making it work, but it's not making it authenticated.
if your output is unreadable, it's what's on your URL that is not full text HTML but something else. Debug your server code!
curl -k is not an answer to the question as it basically makes it http instead of https by allowing insecure connections.
|

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.