I am new to Curl and Cacerts world and facing a problem while connecting to a server. Basically, I need to test connectivity over https from one machine to another machine. I have a URL to which I need to connect from Machine A (a linux machine) I tried this on command prompt
cmd> curl https://[my domain or IP address]
and got the following:
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
On going through some articles over internet I did this:
openssl s_client -connect <domain name or Ip address>:443
and got some response including the
server certificate (inside -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----).
What should I do next from here. I think, I will have to just copy paste the text inside
BEGIN CERTIFICATE & END CERTIFICATE and save it in a file.
But,
What type of file it should be? .pem, .crt ?..
What should I be do after that?
I tried this - copied the text inside BEGIN CERTIFICATE & END CERTIFICATE and saved it in a .crt file - named it as my-ca.crt (also tried the same thing by naming it as my-ca.pem file)
and then did this:
cmd>curl --cacert my-ca.crt https://[my domain or IP address]
But got the same error.
This question is related to
curl
ssl
command-line
https
certificate
With modern versions of curl, you can simply override which ip-address to connect to, using --resolve or --connect-to (curl newer than version 7.49). This works even with SSL/SNI. All details are in the man page.
For example, to override DNS and connect to www.example.com with ssl using a particular ip address: (This will also override ipv6)
curl --resolve www.example.com:443:192.168.42.2 https://www.example.com/
Another example, to connect to a particular backend server named backend1 on port 8080
curl --connect-to www.example.com:80:backend1.example.com:8080 http://www.example.com/
Remember to add the host header if the server needs that to answer correctly:
-H 'Host:www.example.com'
You need to provide the entire certificate chain to curl, since curl no longer ships with any CA certs. Since the cacert option can only use one file, you need to concat the full chain info into 1 file
Copy the certificate chain (from your browser, for example) into DER encoded binary x.509(.cer). Do this for each cert.
Convert the certs into PEM, and concat them into 1 file.
openssl x509 -inform DES -in file1.cer -out file1.pem -text
openssl x509 -inform DES -in file2.cer -out file2.pem -text
openssl x509 -inform DES -in file3.cer -out file3.pem -text
cat *.pem > certRepo
curl --cacert certRepo -u user:passwd -X GET -H 'Content-Type: application/json' "https//somesecureserver.com/rest/field"
I wrote a blog on how to do this here: http://javamemento.blogspot.no/2015/10/using-curl-with-ssl-cert-chain.html
I actually had this kind of problem and I solve it by these steps:
Get the bundle of root CA certificates from here: https://curl.haxx.se/ca/cacert.pem and save it on local
Find the php.ini file
Set the curl.cainfo to be the path of the certificates. So it will something like:
curl.cainfo = /path/of/the/keys/cacert.pem
I had the same problem - I was fetching a page from my own site, which was served over HTTPS, but curl was giving the same "SSL certificate problem" message. I worked around it by adding a -k flag to the call to allow insecure connections.
curl -k https://whatever.com/script.php
Edit: I discovered the root of the problem. I was using an SSL certificate (from StartSSL, but I don't think that matters much) and hadn't set up the intermediate certificate properly. If you're having the same problem as user1270392 above, it's probably a good idea to test your SSL cert and fix any issues with it before resorting to the curl -k fix.
Here you could find the CA certs with instructions to download and convert Mozilla CA certs.
Once you get ca-bundle.crt or cacert.pem you just use:
curl.exe --cacert cacert.pem https://www.google.com
or
curl.exe --cacert ca-bundle.crt https://www.google.com
That's my everyday script:
curl --insecure -v https://www.google.com 2>&1 | awk 'BEGIN { cert=0 } /^\* Server certificate:/ { cert=1 } /^\*/ { if (cert) print }'
Output:
* Server certificate:
* subject: C=US; ST=California; L=Mountain View; O=Google Inc; CN=www.google.com
* start date: 2016-01-07 11:34:33 GMT
* expire date: 2016-04-06 00:00:00 GMT
* issuer: C=US; O=Google Inc; CN=Google Internet Authority G2
* SSL certificate verify ok.
* Server GFE/2.0 is not blacklisted
* Connection #0 to host www.google.com left intact
use --cacert to specify a .crt file.
ca-root-nss.crt for example.
you could use this
curl_setopt($curl->curl, CURLOPT_SSL_VERIFYPEER, false);
having dignosed the problem I was able to use the existing system default CA file, on debian6 this is:
/etc/ssl/certs/ca-certificates.crt
as root this can be done like:
echo curl.cainfo=/etc/ssl/certs/ca-certificates.crt >> /etc/php5/mods-available/curl.ini
then re-start the web-server.
For me, I just wanted to test a website that had an automatic http->https redirect. I think I had some certs installed already, so this alone works for me on Ubuntu 16.04 running curl 7.47.0 (x86_64-pc-linux-gnu) libcurl/7.47.0 GnuTLS/3.4.10 zlib/1.2.8 libidn/1.32 librtmp/2.3
curl --proto-default https <target>
Source: Stackoverflow.com