cUrl with mutual authentication
Solution 1
Yes you need to add --cacert
option to the curl command if you have it downloaded or a self-signed certificate (in my case)
curl --key client.key --cert client.crt --cacert bundle.pem -X GET -v https://x.x.x.x:xxxx/folder/endpoint
.
The bundle.pem
has the server.crt and rootCA.crt.
cat server.crt rootCA.crt >> bundle.pem
Solution 2
Your error message is :
unable to get local issuer certificate
That means curl is unable to find the certificate of the issuer (the CA who sign the server certificate) from the trust store :
/etc/ssl/certs/ca-certificates.crt
All you have to do is download the CA certificate and add it to the trust store.
Owen Nel
Updated on June 04, 2022Comments
-
Owen Nel almost 2 years
I am trying to do a cUrl to a 3rd party server. They provided me with a p12 file which I installed in my browser. When using the browser I get a response from the server. When doing a cUrl from the linux terminal I get handshake errors.
I extracted the .p12 to a key and cert and then I run the following command:
curl --key client.key --cert client.crt -X GET -v https://x.x.x.x:xxxx/folder/endpoint
And get the following reply:
Note: Unnecessary use of -X or --request, GET is already inferred. * Trying x.x.x.x... * TCP_NODELAY set * Connected to x.x.x.x (x.x.x.x) port xxxx (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (OUT), TLS alert, Server hello (2): * SSL certificate problem: unable to get local issuer certificate * stopped the pause stream! * Closing connection 0 curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: https://curl.haxx.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.
Do I need to add a self-signed certificate somewhere? I feel like I am missing something. As said earlier, it works from my browser where the cert was imported so I am certain that there is not an issue with their cert. I know I am missing something.
Thanks,