问题
Hi I am having a big headache trying to curl a REST web service I created locally over SSL. I keep getting the message "curl: (60) SSL certificate problem: self signed certificate More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option."
Here the steps I followed
- created my own CA certificate with OpenSSL private certificate and key pair OpenSSL req -x509 -new -config c:\X509CA\openssl.cfg -days 365 -out c:\X509CA\ca\private_ca.pem -keyout c:\X509CA\ca\private_ca_pk.pem my CN: RESTfulCustomer
created the keystore and mycert.pem keytool -genkey -validity 365 -alias myalias -keypass password -keystore myKeyStore.jks -storepass password used the same CN as above
Created a certificate signing request keytool -certreq -alias myalias -file myCert_csr.pem -keypass password -keystore myKeyStore.jks -storepass password
Signed the CSR with openssl ca -config c:\X509CA\openssl.cfg -days 365 -in c:\path\to\key_store\myCert_csr.pem -out c:\path\to\key_store\myCert.pem
Converted to PEM format - Convert the signed certificate, CertName.pem, to PEM only format, as follows: Openssl x509 -in c:\path\to\key_store\myCert.pem -out c:\path\to\key_store\myCert.pem -outform PEM
- concatenated the CA certificate file and the certName.pem copy myCert.pem + c:\X509CA\ca\new_ca.pem myCert.chain
- Updated keystore with the full certificate chain - Update the keystore, CertName.jks, by importing the full certificate chain for the certificate, as follows:
keytool -import -file myCert.chain -keypass password -keystore myKeyStore.jks -storepass password
finally imported it into firefox, updated my server.xml apache tomacat 7 starts ok and I could navigate to my ssl webpage with no problems. Curl does not work without using --insecure. My Curl command
curl -v --cacert ca.pem https://
localhost
:8443/RESTfulCustomer/customers.json
the curl command above gives me the message "curl: (60) SSL certificate problem: self signed certificate"
Running the Curl command for http//localhost
:8080/RESTfuCustomer.customers.json with ssl disabled works fine.
I imported the ca.pem into myKeyStore.jks and restarted Apache. Environemnt windows 7,apache tomcat 7, spring security 3.1, curl 7.30.0 (i386-pc-win32) libcurl/7.30.0 OpenSSL/1.0.1c zlib/1.2.7
any help would be really appreciated thanks
回答1:
In case anyone runs into this in the future, I had to create the cert for localhost.com
and add it to the end of my /etc/hosts
file like this and then curl --cacert cert.crt https://localhost.com
.
127.0.0.1 localhost
127.0.0.1 localhost.com
If you are not on linux or mac, you can try this in a docker container which will have /etc/hosts
.
I don't know why it wouldn't work with localhost
as domain name, but curl would keep complaining about self-signed certs. Might have something to do with either docker networking or something special about the localhost keyword.
回答2:
please refer to that following answer:
- https://stackoverflow.com/a/28927268/1290438
to sum up:
% openssl s_client -showcerts -connect example.com:443 </dev/null 2>/dev/null | sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' | grep -m1 -B-1 -- '-----END CERTIFICATE-----' > cert.pem
% curl --cacert cert.pem https://example.com
and tada, you connect securely to a self-signed website.
来源:https://stackoverflow.com/questions/17748801/curl-self-signed-certificate-web-service-over-ssl