How to trust self-signed certificate in cURL command line?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite












I've created a self-signed certificate for foo.localhost using a Let's Encrypt recommendation and assigned that to a web server. I've verified that the server returns the relevant certificate:



$ openssl s_client -showcerts -connect foo.localhost:8443 < /dev/null
CONNECTED(00000003)
depth=0 CN = foo.localhost
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = foo.localhost
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=foo.localhost
i:/CN=foo.localhost
-----BEGIN CERTIFICATE-----
[…]
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=foo.localhost
issuer=/CN=foo.localhost
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1330 bytes and written 269 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: […]
Session-ID-ctx:
Master-Key: […]
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket:
[…]

Start Time: 1529622990
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
---
DONE


How do I make cURL trust it without modifying anything in /etc? --cacert does not work, presumably because there is no CA:



$ curl --cacert tls/foo.localhost.crt 'https://foo.localhost:8443/'
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.


The goal is to enable HTTPS during development.







share|improve this question



















  • There seems to be a solution there: stackoverflow.com/a/21262787/6368697
    – Patrick Mevzek
    Jun 22 at 2:20










  • @PatrickMevzek No, "without modifying anything in /etc" is not satisfied by that solution.
    – l0b0
    Jun 22 at 2:58










  • Although there's no real CA, a selfsigned cert is effectively treated as its own CA for validation purposes. Try openssl x509 <file to make sure it's in the right format and openssl s_client ... -CAfile file to see if that validates. (BTW -showcerts only applies to chain certs from the server and is meaningless when there are no chain certs.) Also, curl doesn't always use OpenSSL and if not it doesn't always accept exactly the same formats; check curl -V (uppercase V).
    – dave_thompson_085
    Jun 22 at 8:44














up vote
0
down vote

favorite












I've created a self-signed certificate for foo.localhost using a Let's Encrypt recommendation and assigned that to a web server. I've verified that the server returns the relevant certificate:



$ openssl s_client -showcerts -connect foo.localhost:8443 < /dev/null
CONNECTED(00000003)
depth=0 CN = foo.localhost
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = foo.localhost
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=foo.localhost
i:/CN=foo.localhost
-----BEGIN CERTIFICATE-----
[…]
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=foo.localhost
issuer=/CN=foo.localhost
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1330 bytes and written 269 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: […]
Session-ID-ctx:
Master-Key: […]
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket:
[…]

Start Time: 1529622990
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
---
DONE


How do I make cURL trust it without modifying anything in /etc? --cacert does not work, presumably because there is no CA:



$ curl --cacert tls/foo.localhost.crt 'https://foo.localhost:8443/'
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.


The goal is to enable HTTPS during development.







share|improve this question



















  • There seems to be a solution there: stackoverflow.com/a/21262787/6368697
    – Patrick Mevzek
    Jun 22 at 2:20










  • @PatrickMevzek No, "without modifying anything in /etc" is not satisfied by that solution.
    – l0b0
    Jun 22 at 2:58










  • Although there's no real CA, a selfsigned cert is effectively treated as its own CA for validation purposes. Try openssl x509 <file to make sure it's in the right format and openssl s_client ... -CAfile file to see if that validates. (BTW -showcerts only applies to chain certs from the server and is meaningless when there are no chain certs.) Also, curl doesn't always use OpenSSL and if not it doesn't always accept exactly the same formats; check curl -V (uppercase V).
    – dave_thompson_085
    Jun 22 at 8:44












up vote
0
down vote

favorite









up vote
0
down vote

favorite











I've created a self-signed certificate for foo.localhost using a Let's Encrypt recommendation and assigned that to a web server. I've verified that the server returns the relevant certificate:



$ openssl s_client -showcerts -connect foo.localhost:8443 < /dev/null
CONNECTED(00000003)
depth=0 CN = foo.localhost
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = foo.localhost
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=foo.localhost
i:/CN=foo.localhost
-----BEGIN CERTIFICATE-----
[…]
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=foo.localhost
issuer=/CN=foo.localhost
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1330 bytes and written 269 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: […]
Session-ID-ctx:
Master-Key: […]
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket:
[…]

Start Time: 1529622990
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
---
DONE


How do I make cURL trust it without modifying anything in /etc? --cacert does not work, presumably because there is no CA:



$ curl --cacert tls/foo.localhost.crt 'https://foo.localhost:8443/'
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.


The goal is to enable HTTPS during development.







share|improve this question











I've created a self-signed certificate for foo.localhost using a Let's Encrypt recommendation and assigned that to a web server. I've verified that the server returns the relevant certificate:



$ openssl s_client -showcerts -connect foo.localhost:8443 < /dev/null
CONNECTED(00000003)
depth=0 CN = foo.localhost
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = foo.localhost
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=foo.localhost
i:/CN=foo.localhost
-----BEGIN CERTIFICATE-----
[…]
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=foo.localhost
issuer=/CN=foo.localhost
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1330 bytes and written 269 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: […]
Session-ID-ctx:
Master-Key: […]
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket:
[…]

Start Time: 1529622990
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
---
DONE


How do I make cURL trust it without modifying anything in /etc? --cacert does not work, presumably because there is no CA:



$ curl --cacert tls/foo.localhost.crt 'https://foo.localhost:8443/'
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.


The goal is to enable HTTPS during development.









share|improve this question










share|improve this question




share|improve this question









asked Jun 21 at 23:20









l0b0

26k17104226




26k17104226











  • There seems to be a solution there: stackoverflow.com/a/21262787/6368697
    – Patrick Mevzek
    Jun 22 at 2:20










  • @PatrickMevzek No, "without modifying anything in /etc" is not satisfied by that solution.
    – l0b0
    Jun 22 at 2:58










  • Although there's no real CA, a selfsigned cert is effectively treated as its own CA for validation purposes. Try openssl x509 <file to make sure it's in the right format and openssl s_client ... -CAfile file to see if that validates. (BTW -showcerts only applies to chain certs from the server and is meaningless when there are no chain certs.) Also, curl doesn't always use OpenSSL and if not it doesn't always accept exactly the same formats; check curl -V (uppercase V).
    – dave_thompson_085
    Jun 22 at 8:44
















  • There seems to be a solution there: stackoverflow.com/a/21262787/6368697
    – Patrick Mevzek
    Jun 22 at 2:20










  • @PatrickMevzek No, "without modifying anything in /etc" is not satisfied by that solution.
    – l0b0
    Jun 22 at 2:58










  • Although there's no real CA, a selfsigned cert is effectively treated as its own CA for validation purposes. Try openssl x509 <file to make sure it's in the right format and openssl s_client ... -CAfile file to see if that validates. (BTW -showcerts only applies to chain certs from the server and is meaningless when there are no chain certs.) Also, curl doesn't always use OpenSSL and if not it doesn't always accept exactly the same formats; check curl -V (uppercase V).
    – dave_thompson_085
    Jun 22 at 8:44















There seems to be a solution there: stackoverflow.com/a/21262787/6368697
– Patrick Mevzek
Jun 22 at 2:20




There seems to be a solution there: stackoverflow.com/a/21262787/6368697
– Patrick Mevzek
Jun 22 at 2:20












@PatrickMevzek No, "without modifying anything in /etc" is not satisfied by that solution.
– l0b0
Jun 22 at 2:58




@PatrickMevzek No, "without modifying anything in /etc" is not satisfied by that solution.
– l0b0
Jun 22 at 2:58












Although there's no real CA, a selfsigned cert is effectively treated as its own CA for validation purposes. Try openssl x509 <file to make sure it's in the right format and openssl s_client ... -CAfile file to see if that validates. (BTW -showcerts only applies to chain certs from the server and is meaningless when there are no chain certs.) Also, curl doesn't always use OpenSSL and if not it doesn't always accept exactly the same formats; check curl -V (uppercase V).
– dave_thompson_085
Jun 22 at 8:44




Although there's no real CA, a selfsigned cert is effectively treated as its own CA for validation purposes. Try openssl x509 <file to make sure it's in the right format and openssl s_client ... -CAfile file to see if that validates. (BTW -showcerts only applies to chain certs from the server and is meaningless when there are no chain certs.) Also, curl doesn't always use OpenSSL and if not it doesn't always accept exactly the same formats; check curl -V (uppercase V).
– dave_thompson_085
Jun 22 at 8:44















active

oldest

votes











Your Answer







StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);








 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f451207%2fhow-to-trust-self-signed-certificate-in-curl-command-line%23new-answer', 'question_page');

);

Post as a guest



































active

oldest

votes













active

oldest

votes









active

oldest

votes






active

oldest

votes










 

draft saved


draft discarded


























 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f451207%2fhow-to-trust-self-signed-certificate-in-curl-command-line%23new-answer', 'question_page');

);

Post as a guest













































































Popular posts from this blog

How to check contact read email or not when send email to Individual?

Displaying single band from multi-band raster using QGIS

How many registers does an x86_64 CPU actually have?