cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: Help with an X509 certificate and cURL request

From: thomas Armstrong <tarmstrong_at_gmail.com>
Date: Tue, 22 Jan 2008 14:50:26 +0100

I created my own CA cert with:
openssl req -x509 -newkey rsa:2048 -keyout cakey.pem -days 3650 -out cacert.pem

and I added this option to cURL call:
--cacert cacert.pem

but I got the same error message :(

On 1/22/08, thomas Armstrong <tarmstrong_at_gmail.com> wrote:
> Hi Daniel. Thank you very much for your answer.
>
> > If they requrie a client certificate, there's no point in you making up your
> > own but they should rather provide it for you. What else would be the point
> > with a certificate?
>
> They provided me a certificate :)
>
> > Yes, but you may also need to provide a keyphrase for the private key.
> I did.
> ------------------------
> []# curl -d "firstName=John&lastName=Smith" -G -v --key serv-priv.pem
> --cacert cacert.pem --cert server-cert.pem
> https://www.domain.com/webservice.asp
>
> * About to connect() to www.domain.com port 443
> * Trying 156.119.10.126... * connected
> * Connected to www.domain.com (156.119.10.126) port 443
> Enter PEM pass phrase: foofoo
> * successfully set certificate verify locations:
> * CAfile: /usr/share/ssl/certs/ca-bundle.crt
> CApath: none
> * SSL certificate problem, verify that the CA cert is OK. Details:
> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> verify failed
> * Closing connection #0
> curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> verify failed
> More details here: http://curl.haxx.se/docs/sslcerts.html
>
> curl performs SSL certificate verification by default, using a "bundle"
> of Certificate Authority (CA) public keys (CA certs). The default
> bundle is named curl-ca-bundle.crt; you can specify an alternate file
> using the --cacert option.
> If this HTTPS server uses a certificate signed by a CA represented in
> the bundle, the certificate verification probably failed due to a
> problem with the certificate (it might be expired, or the name might
> not match the domain name in the URL).
> If you'd like to turn off curl's verification of the certificate, use
> the -k (or --insecure) option.
> ------------------------------
>
> I think I've got a proble with the CA bundle. Any suggestion? I was
> browsing the suggested URL but didn't get any help :(
>
> Regards.
>
>
>
> >
> > --
> > Commercial curl and libcurl Technical Support: http://haxx.se/curl.html
> >
>
Received on 2008-01-22