发表新帖
发表新帖

Curl command for https ( SSL )

前端 未结
关注
1 1688
忘了有多久
忘了有多久 2021-01-02 03:53

I am trying to run the following CURL command but I am getting a SSL Certificate error:

curl https://example.com:8443/cli/agentCLI -u username:password
相关标签:
1条回答
  • 独厮守ぢ
    2021-01-02 04:34

    if you're using a self signed certificate on the server, you can use:

    curl -k https://example.com:8443/cli/agentCLI -u username:password

    but be aware that then it's no better than using non SSL connection to the server, as your communication won't be secure anymore, enabling all sorts of man in the middle attacks.

    Though my advice to you is to download the .pem from the server:

    • that is usually found in /etc/ssl/ if you have access to the server,
    • or that you can download,

    using: 

    echo "HEAD / HTTP/1.0\n Host: example.com\n\n EOT\n" | openssl s_client -prexit -connect example.com:8443 > cert.pem

    to your computer, keep only the part between BEGIN CERTIFICATE and END CERTIFICATE within the file (including the BEGIN/END lines) and give it as parameter to the --cacert option, you might also download it. Then you'll get to authenticate your server each time you connect!

    curl --cacert cert.pem https://example.com:8443/cli/agentCLI -u username:password

    Testing on my own self-signed server, it's working fine:

    % openssl s_client -showcerts -connect example.com:443 </dev/null 2>/dev/null | sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' | grep -m1 -B-1 -- '-----END CERTIFICATE-----'  > cert.pem
% curl --cacert cert.pem https://example.com

    for an example that should be working:

    % openssl s_client -showcerts -connect git.cryptolib.org:443 </dev/null 2>/dev/null | sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' | grep -m1 -B-1 -- '-----END CERTIFICATE-----'  > cert.pem
% curl --cacert cert.pem https://git.cryptolib.org
curl: (51) SSL: certificate verification failed (result: 5)

    but sadly it's not.

    I also tried to do, as suggested here:

    % openssl x509 -inform PEM -in cert.pem -text -out certdata.pem
% curl --cacert certdata.pem https://git.cryptolib.org

    Which is not working, because that site (git.cryptolib.org) I'm using for testing is not self-signed, but it's from the CACert chain, which can be solved by using the CACert root certificates, following this FAQ.

    a few resources to dig:

    • http://curl.haxx.se/docs/sslcerts.html
    • http://curl.haxx.se/mail/archive-2012-01/0049.html
    • https://turboflash.wordpress.com/2009/06/23/curl-adding-installing-trusting-new-self-signed-certificate/
    • http://curl.haxx.se/docs/caextract.html
    • curl self-signed certificate web service over SSL

    But no definitive answer so far :-s

    0 讨论(0)
 看不清?
提交回复
热议问题