Curl command for https ( SSL )

linux shell ssl curl https

88,245

if you're using a self signed certificate on the server, you can use:

curl -k https://example.com:8443/cli/agentCLI -u username:password

but be aware that then it's no better than using non SSL connection to the server, as your communication won't be secure anymore, enabling all sorts of man in the middle attacks.

Though my advice to you is to download the .pem from the server:

that is usually found in /etc/ssl/ if you have access to the server,
or that you can download,

using:

echo "HEAD / HTTP/1.0\n Host: example.com\n\n EOT\n" | openssl s_client -prexit -connect example.com:8443 > cert.pem

to your computer, keep only the part between BEGIN CERTIFICATE and END CERTIFICATE within the file (including the BEGIN/END lines) and give it as parameter to the --cacert option, you might also download it. Then you'll get to authenticate your server each time you connect!

curl --cacert cert.pem https://example.com:8443/cli/agentCLI -u username:password

Testing on my own self-signed server, it's working fine:

% openssl s_client -showcerts -connect example.com:443 </dev/null 2>/dev/null | sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' | grep -m1 -B-1 -- '-----END CERTIFICATE-----'  > cert.pem
% curl --cacert cert.pem https://example.com

for an example that should be working:

% openssl s_client -showcerts -connect git.cryptolib.org:443 </dev/null 2>/dev/null | sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' | grep -m1 -B-1 -- '-----END CERTIFICATE-----'  > cert.pem
% curl --cacert cert.pem https://git.cryptolib.org
curl: (51) SSL: certificate verification failed (result: 5)

but sadly it's not.

I also tried to do, as suggested here:

% openssl x509 -inform PEM -in cert.pem -text -out certdata.pem
% curl --cacert certdata.pem https://git.cryptolib.org

Which is not working, because that site (git.cryptolib.org) I'm using for testing is not self-signed, but it's from the CACert chain, which can be solved by using the CACert root certificates, following this FAQ.

a few resources to dig:

But no definitive answer so far :-s

88,245

Author by

Kalaiyarasan

Updated on July 21, 2022

Comments

Kalaiyarasan almost 2 years
I am trying to run the following CURL command but I am getting a SSL Certificate error:
```
curl https://example.com:8443/cli/agentCLI -u username:password
```
Error:

curl: (60) SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). The default bundle is named curl-ca-bundle.crt; you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.

How would I fix this issue to allow for SSL URLs?
Kalaiyarasan about 9 years

Thanks Zmo..i have downloaded .pem by running of command echo "HEAD / HTTP/1.0\n Host: example.com\n\n EOT\n" | openssl s_client -prexit -connect example.com:8443 > cert.pem. But i m gettng same error when i m running second command which you gave here
Kalaiyarasan about 9 years

Hi zmo..after downloaded cret.pem , i have run curl -k example.com:8443/cli/agentCLI -u user:pass .. Now i m getting output..Thanks.. But I got unreadable output ...Can you please tel me that how i ll get output like row..
zmo about 9 years

curl -k is my first answer and is giving you insecure https connection to the server. It's making it work, but it's not making it authenticated.
zmo about 9 years

if your output is unreadable, it's what's on your URL that is not full text HTML but something else. Debug your server code!
Steven2163712 almost 7 years

curl -k is not an answer to the question as it basically makes it http instead of https by allowing insecure connections.
zmo almost 7 years

it's not exactly right, it all depends on your threat model. The communication is still encrypted with curl -k on an https URL, but you're sensible to Man in the Middle attacks if the certificate is being taken over and replaced with a new one by an intermediate router. So it's better than HTTP, even if not a properly secured HTTPS connection. Thus, two options are possible, certificate pinning (as I suggest in my answer) or use letsencrypt.