curl self-signed certificate web service over SSL

帅比萌擦擦* 提交于 2019-11-30 20:49:31

问题


Hi I am having a big headache trying to curl a REST web service I created locally over SSL. I keep getting the message "curl: (60) SSL certificate problem: self signed certificate More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option."

Here the steps I followed

  1. created my own CA certificate with OpenSSL private certificate and key pair OpenSSL req -x509 -new -config c:\X509CA\openssl.cfg -days 365 -out c:\X509CA\ca\private_ca.pem -keyout c:\X509CA\ca\private_ca_pk.pem my CN: RESTfulCustomer
  2. created the keystore and mycert.pem keytool -genkey -validity 365 -alias myalias -keypass password -keystore myKeyStore.jks -storepass password used the same CN as above

  3. Created a certificate signing request keytool -certreq -alias myalias -file myCert_csr.pem -keypass password -keystore myKeyStore.jks -storepass password

  4. Signed the CSR with openssl ca -config c:\X509CA\openssl.cfg -days 365 -in c:\path\to\key_store\myCert_csr.pem -out c:\path\to\key_store\myCert.pem

  5. Converted to PEM format - Convert the signed certificate, CertName.pem, to PEM only format, as follows: Openssl x509 -in c:\path\to\key_store\myCert.pem -out c:\path\to\key_store\myCert.pem -outform PEM

  6. concatenated the CA certificate file and the certName.pem copy myCert.pem + c:\X509CA\ca\new_ca.pem myCert.chain
  7. Updated keystore with the full certificate chain - Update the keystore, CertName.jks, by importing the full certificate chain for the certificate, as follows: keytool -import -file myCert.chain -keypass password -keystore myKeyStore.jks -storepass password finally imported it into firefox, updated my server.xml apache tomacat 7 starts ok and I could navigate to my ssl webpage with no problems. Curl does not work without using --insecure. My Curl command curl -v --cacert ca.pem https://localhost:8443/RESTfulCustomer/customers.json

the curl command above gives me the message "curl: (60) SSL certificate problem: self signed certificate"

Running the Curl command for http//localhost:8080/RESTfuCustomer.customers.json with ssl disabled works fine.

I imported the ca.pem into myKeyStore.jks and restarted Apache. Environemnt windows 7,apache tomcat 7, spring security 3.1, curl 7.30.0 (i386-pc-win32) libcurl/7.30.0 OpenSSL/1.0.1c zlib/1.2.7

any help would be really appreciated thanks


回答1:


In case anyone runs into this in the future, I had to create the cert for localhost.com and add it to the end of my /etc/hosts file like this and then curl --cacert cert.crt https://localhost.com.

127.0.0.1   localhost
127.0.0.1   localhost.com

If you are not on linux or mac, you can try this in a docker container which will have /etc/hosts.

I don't know why it wouldn't work with localhost as domain name, but curl would keep complaining about self-signed certs. Might have something to do with either docker networking or something special about the localhost keyword.




回答2:


please refer to that following answer:

  • https://stackoverflow.com/a/28927268/1290438

to sum up:

% openssl s_client -showcerts -connect example.com:443 </dev/null 2>/dev/null | sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' | grep -m1 -B-1 -- '-----END CERTIFICATE-----'  > cert.pem
% curl --cacert cert.pem https://example.com

and tada, you connect securely to a self-signed website.



来源:https://stackoverflow.com/questions/17748801/curl-self-signed-certificate-web-service-over-ssl

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!