Curl command for https ( SSL )
if you're using a self signed certificate on the server, you can use:
curl -k https://example.com:8443/cli/agentCLI -u username:password
but be aware that then it's no better than using non SSL connection to the server, as your communication won't be secure anymore, enabling all sorts of man in the middle attacks.
Though my advice to you is to download the .pem
from the server:
- that is usually found in
/etc/ssl/
if you have access to the server, - or that you can download,
using:
echo "HEAD / HTTP/1.0\n Host: example.com\n\n EOT\n" | openssl s_client -prexit -connect example.com:8443 > cert.pem
to your computer, keep only the part between BEGIN CERTIFICATE
and END CERTIFICATE
within the file (including the BEGIN/END lines) and give it as parameter to the --cacert
option, you might also download it. Then you'll get to authenticate your server each time you connect!
curl --cacert cert.pem https://example.com:8443/cli/agentCLI -u username:password
Testing on my own self-signed server, it's working fine:
% openssl s_client -showcerts -connect example.com:443 </dev/null 2>/dev/null | sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' | grep -m1 -B-1 -- '-----END CERTIFICATE-----' > cert.pem
% curl --cacert cert.pem https://example.com
for an example that should be working:
% openssl s_client -showcerts -connect git.cryptolib.org:443 </dev/null 2>/dev/null | sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' | grep -m1 -B-1 -- '-----END CERTIFICATE-----' > cert.pem
% curl --cacert cert.pem https://git.cryptolib.org
curl: (51) SSL: certificate verification failed (result: 5)
but sadly it's not.
I also tried to do, as suggested here:
% openssl x509 -inform PEM -in cert.pem -text -out certdata.pem
% curl --cacert certdata.pem https://git.cryptolib.org
Which is not working, because that site (git.cryptolib.org) I'm using for testing is not self-signed, but it's from the CACert chain, which can be solved by using the CACert root certificates, following this FAQ.
a few resources to dig:
- http://curl.haxx.se/docs/sslcerts.html
- http://curl.haxx.se/mail/archive-2012-01/0049.html
- https://turboflash.wordpress.com/2009/06/23/curl-adding-installing-trusting-new-self-signed-certificate/
- http://curl.haxx.se/docs/caextract.html
- curl self-signed certificate web service over SSL
But no definitive answer so far :-s
Kalaiyarasan
Updated on July 21, 2022Comments
-
Kalaiyarasan almost 2 years
I am trying to run the following CURL command but I am getting a SSL Certificate error:
curl https://example.com:8443/cli/agentCLI -u username:password
Error:
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). The default bundle is named curl-ca-bundle.crt; you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.
How would I fix this issue to allow for SSL URLs?
-
Kalaiyarasan about 9 yearsThanks Zmo..i have downloaded .pem by running of command echo "HEAD / HTTP/1.0\n Host: example.com\n\n EOT\n" | openssl s_client -prexit -connect example.com:8443 > cert.pem. But i m gettng same error when i m running second command which you gave here
-
Kalaiyarasan about 9 yearsHi zmo..after downloaded cret.pem , i have run curl -k example.com:8443/cli/agentCLI -u user:pass .. Now i m getting output..Thanks.. But I got unreadable output ...Can you please tel me that how i ll get output like row..
-
zmo about 9 years
curl -k
is my first answer and is giving you insecure https connection to the server. It's making it work, but it's not making it authenticated. -
zmo about 9 yearsif your output is unreadable, it's what's on your URL that is not full text HTML but something else. Debug your server code!
-
Steven2163712 almost 7 yearscurl -k is not an answer to the question as it basically makes it http instead of https by allowing insecure connections.
-
zmo almost 7 yearsit's not exactly right, it all depends on your threat model. The communication is still encrypted with
curl -k
on an https URL, but you're sensible to Man in the Middle attacks if the certificate is being taken over and replaced with a new one by an intermediate router. So it's better than HTTP, even if not a properly secured HTTPS connection. Thus, two options are possible, certificate pinning (as I suggest in my answer) or use letsencrypt.