Reputation: 175
Hi I am having a big headache trying to curl a REST web service I created locally over SSL. I keep getting the message "curl: (60) SSL certificate problem: self signed certificate More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option."
Here the steps I followed
created the keystore and mycert.pem keytool -genkey -validity 365 -alias myalias -keypass password -keystore myKeyStore.jks -storepass password used the same CN as above
Created a certificate signing request keytool -certreq -alias myalias -file myCert_csr.pem -keypass password -keystore myKeyStore.jks -storepass password
Signed the CSR with openssl ca -config c:\X509CA\openssl.cfg -days 365 -in c:\path\to\key_store\myCert_csr.pem -out c:\path\to\key_store\myCert.pem
Converted to PEM format - Convert the signed certificate, CertName.pem, to PEM only format, as follows: Openssl x509 -in c:\path\to\key_store\myCert.pem -out c:\path\to\key_store\myCert.pem -outform PEM
localhost
:8443/RESTfulCustomer/customers.jsonthe curl command above gives me the message "curl: (60) SSL certificate problem: self signed certificate"
Running the Curl command for http//localhost
:8080/RESTfuCustomer.customers.json with ssl disabled works fine.
I imported the ca.pem into myKeyStore.jks and restarted Apache. Environemnt windows 7,apache tomcat 7, spring security 3.1, curl 7.30.0 (i386-pc-win32) libcurl/7.30.0 OpenSSL/1.0.1c zlib/1.2.7
any help would be really appreciated thanks
Upvotes: 2
Views: 5965
Reputation: 480
In case anyone runs into this in the future, I had to create the cert for localhost.com
and add it to the end of my /etc/hosts
file like this and then curl --cacert cert.crt https://localhost.com
.
127.0.0.1 localhost
127.0.0.1 localhost.com
If you are not on linux or mac, you can try this in a docker container which will have /etc/hosts
.
I don't know why it wouldn't work with localhost
as domain name, but curl would keep complaining about self-signed certs. Might have something to do with either docker networking or something special about the localhost keyword.
Upvotes: 0
Reputation: 24802
please refer to that following answer:
to sum up:
% openssl s_client -showcerts -connect example.com:443 </dev/null 2>/dev/null | sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' | grep -m1 -B-1 -- '-----END CERTIFICATE-----' > cert.pem
% curl --cacert cert.pem https://example.com
and tada, you connect securely to a self-signed website.
Upvotes: -1