How to trust self-signed certificate in cURL command line?
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
I've created a self-signed certificate for foo.localhost using a Let's Encrypt recommendation and assigned that to a web server. I've verified that the server returns the relevant certificate:
$ openssl s_client -showcerts -connect foo.localhost:8443 < /dev/null
CONNECTED(00000003)
depth=0 CN = foo.localhost
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = foo.localhost
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=foo.localhost
i:/CN=foo.localhost
-----BEGIN CERTIFICATE-----
[â¦]
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=foo.localhost
issuer=/CN=foo.localhost
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1330 bytes and written 269 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: [â¦]
Session-ID-ctx:
Master-Key: [â¦]
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket:
[â¦]
Start Time: 1529622990
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
---
DONE
How do I make cURL trust it without modifying anything in /etc? --cacert
does not work, presumably because there is no CA:
$ curl --cacert tls/foo.localhost.crt 'https://foo.localhost:8443/'
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
The goal is to enable HTTPS during development.
curl https
add a comment |Â
up vote
0
down vote
favorite
I've created a self-signed certificate for foo.localhost using a Let's Encrypt recommendation and assigned that to a web server. I've verified that the server returns the relevant certificate:
$ openssl s_client -showcerts -connect foo.localhost:8443 < /dev/null
CONNECTED(00000003)
depth=0 CN = foo.localhost
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = foo.localhost
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=foo.localhost
i:/CN=foo.localhost
-----BEGIN CERTIFICATE-----
[â¦]
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=foo.localhost
issuer=/CN=foo.localhost
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1330 bytes and written 269 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: [â¦]
Session-ID-ctx:
Master-Key: [â¦]
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket:
[â¦]
Start Time: 1529622990
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
---
DONE
How do I make cURL trust it without modifying anything in /etc? --cacert
does not work, presumably because there is no CA:
$ curl --cacert tls/foo.localhost.crt 'https://foo.localhost:8443/'
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
The goal is to enable HTTPS during development.
curl https
There seems to be a solution there: stackoverflow.com/a/21262787/6368697
â Patrick Mevzek
Jun 22 at 2:20
@PatrickMevzek No, "without modifying anything in /etc" is not satisfied by that solution.
â l0b0
Jun 22 at 2:58
Although there's no real CA, a selfsigned cert is effectively treated as its own CA for validation purposes. Tryopenssl x509 <file
to make sure it's in the right format andopenssl s_client ... -CAfile file
to see if that validates. (BTW-showcerts
only applies to chain certs from the server and is meaningless when there are no chain certs.) Also,curl
doesn't always use OpenSSL and if not it doesn't always accept exactly the same formats; checkcurl -V
(uppercase V).
â dave_thompson_085
Jun 22 at 8:44
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I've created a self-signed certificate for foo.localhost using a Let's Encrypt recommendation and assigned that to a web server. I've verified that the server returns the relevant certificate:
$ openssl s_client -showcerts -connect foo.localhost:8443 < /dev/null
CONNECTED(00000003)
depth=0 CN = foo.localhost
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = foo.localhost
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=foo.localhost
i:/CN=foo.localhost
-----BEGIN CERTIFICATE-----
[â¦]
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=foo.localhost
issuer=/CN=foo.localhost
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1330 bytes and written 269 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: [â¦]
Session-ID-ctx:
Master-Key: [â¦]
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket:
[â¦]
Start Time: 1529622990
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
---
DONE
How do I make cURL trust it without modifying anything in /etc? --cacert
does not work, presumably because there is no CA:
$ curl --cacert tls/foo.localhost.crt 'https://foo.localhost:8443/'
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
The goal is to enable HTTPS during development.
curl https
I've created a self-signed certificate for foo.localhost using a Let's Encrypt recommendation and assigned that to a web server. I've verified that the server returns the relevant certificate:
$ openssl s_client -showcerts -connect foo.localhost:8443 < /dev/null
CONNECTED(00000003)
depth=0 CN = foo.localhost
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = foo.localhost
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=foo.localhost
i:/CN=foo.localhost
-----BEGIN CERTIFICATE-----
[â¦]
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=foo.localhost
issuer=/CN=foo.localhost
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1330 bytes and written 269 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: [â¦]
Session-ID-ctx:
Master-Key: [â¦]
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket:
[â¦]
Start Time: 1529622990
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
---
DONE
How do I make cURL trust it without modifying anything in /etc? --cacert
does not work, presumably because there is no CA:
$ curl --cacert tls/foo.localhost.crt 'https://foo.localhost:8443/'
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
The goal is to enable HTTPS during development.
curl https
asked Jun 21 at 23:20
l0b0
26k17104226
26k17104226
There seems to be a solution there: stackoverflow.com/a/21262787/6368697
â Patrick Mevzek
Jun 22 at 2:20
@PatrickMevzek No, "without modifying anything in /etc" is not satisfied by that solution.
â l0b0
Jun 22 at 2:58
Although there's no real CA, a selfsigned cert is effectively treated as its own CA for validation purposes. Tryopenssl x509 <file
to make sure it's in the right format andopenssl s_client ... -CAfile file
to see if that validates. (BTW-showcerts
only applies to chain certs from the server and is meaningless when there are no chain certs.) Also,curl
doesn't always use OpenSSL and if not it doesn't always accept exactly the same formats; checkcurl -V
(uppercase V).
â dave_thompson_085
Jun 22 at 8:44
add a comment |Â
There seems to be a solution there: stackoverflow.com/a/21262787/6368697
â Patrick Mevzek
Jun 22 at 2:20
@PatrickMevzek No, "without modifying anything in /etc" is not satisfied by that solution.
â l0b0
Jun 22 at 2:58
Although there's no real CA, a selfsigned cert is effectively treated as its own CA for validation purposes. Tryopenssl x509 <file
to make sure it's in the right format andopenssl s_client ... -CAfile file
to see if that validates. (BTW-showcerts
only applies to chain certs from the server and is meaningless when there are no chain certs.) Also,curl
doesn't always use OpenSSL and if not it doesn't always accept exactly the same formats; checkcurl -V
(uppercase V).
â dave_thompson_085
Jun 22 at 8:44
There seems to be a solution there: stackoverflow.com/a/21262787/6368697
â Patrick Mevzek
Jun 22 at 2:20
There seems to be a solution there: stackoverflow.com/a/21262787/6368697
â Patrick Mevzek
Jun 22 at 2:20
@PatrickMevzek No, "without modifying anything in /etc" is not satisfied by that solution.
â l0b0
Jun 22 at 2:58
@PatrickMevzek No, "without modifying anything in /etc" is not satisfied by that solution.
â l0b0
Jun 22 at 2:58
Although there's no real CA, a selfsigned cert is effectively treated as its own CA for validation purposes. Try
openssl x509 <file
to make sure it's in the right format and openssl s_client ... -CAfile file
to see if that validates. (BTW -showcerts
only applies to chain certs from the server and is meaningless when there are no chain certs.) Also, curl
doesn't always use OpenSSL and if not it doesn't always accept exactly the same formats; check curl -V
(uppercase V).â dave_thompson_085
Jun 22 at 8:44
Although there's no real CA, a selfsigned cert is effectively treated as its own CA for validation purposes. Try
openssl x509 <file
to make sure it's in the right format and openssl s_client ... -CAfile file
to see if that validates. (BTW -showcerts
only applies to chain certs from the server and is meaningless when there are no chain certs.) Also, curl
doesn't always use OpenSSL and if not it doesn't always accept exactly the same formats; check curl -V
(uppercase V).â dave_thompson_085
Jun 22 at 8:44
add a comment |Â
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f451207%2fhow-to-trust-self-signed-certificate-in-curl-command-line%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
There seems to be a solution there: stackoverflow.com/a/21262787/6368697
â Patrick Mevzek
Jun 22 at 2:20
@PatrickMevzek No, "without modifying anything in /etc" is not satisfied by that solution.
â l0b0
Jun 22 at 2:58
Although there's no real CA, a selfsigned cert is effectively treated as its own CA for validation purposes. Try
openssl x509 <file
to make sure it's in the right format andopenssl s_client ... -CAfile file
to see if that validates. (BTW-showcerts
only applies to chain certs from the server and is meaningless when there are no chain certs.) Also,curl
doesn't always use OpenSSL and if not it doesn't always accept exactly the same formats; checkcurl -V
(uppercase V).â dave_thompson_085
Jun 22 at 8:44