Curl with custom certificate

curlopensslssl-certificate

I 'd like curl to work with sites signed by goDaddy:
If I call

curl mypage.com/bla

I am getting a certificate verification error. I tried getting the ca certificate with this snippet:

echo | openssl s_client -connect mysite.com:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cert.pem

and afterwards calling

curl mypage.com/bla --cacert cert.pem

which also caused a verification error. I checked the certificate date and subject and everything seems fine?

What am I missing? Do I maybe need the whole chain? If yes, is there a command to get it all?

Best Answer

CA in cacert means certification authority. You should specify the cert or cert path of the authority that signed your certificate, not your certificate itself

the command

openssl x509 -in YourSitePemCert -text

should list an issuer line. you should get the issuer certificate and include it the cacert pem file

( in your case searching godaddy cert chain lead to https://certs.godaddy.com/repository )

Related Solutions

SSL Error: self signed certificate in certificate chain

You don't need the root certificate in the chain (though I don't believe having it hurts anything).

That error is more of a warning from openssl in this case I think. I believe what it means is just that openssl doesn't know that it should trust the root certificate of that chain. If you pull out just the root certificate from that bundle and point that openssl command at it with the -CAfile argument I expect that "error" should go away.

Inside the sf_bundle.crt file you should see two

-----BEGIN CERTIFICATE-----
....
-----END CERTIFICATE-----

blocks (possibly with plain text above each block showing what certificate the block contains). If you split each of those blocks into its own file so you end up with block1.crt and block2.crt you should be able to run openssl x509 -noout -subject -in <file.crt> on each of them to get their respective certificate subject lines.

Assuming that block2.crt has a subject line of /C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority you should then be able to run openssl s_client -CAfile block2.crt -connect imap.domain.ltd:465 and that should, hopefully, connect without giving you the self-signed certificate error.

SSL Certificate – Displaying Remote SSL Certificate Details Using CLI Tools

You should be able to use OpenSSL for your purpose:

echo | openssl s_client -showcerts -servername gnupg.org -connect gnupg.org:443 2>/dev/null | openssl x509 -inform pem -noout -text

That command connects to the desired website and pipes the certificate in PEM format on to another openssl command that reads and parses the details.

(Note that "redundant" -servername parameter is necessary to make openssl do a request with SNI support.)

Best Answer

Related Solutions

SSL Error: self signed certificate in certificate chain

SSL Certificate – Displaying Remote SSL Certificate Details Using CLI Tools

Related Topic