Changelog Development Documentation Download libcurl Mailing Lists News
cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: Curl with nss error

From: Isaac Boukris <iboukris_at_gmail.com>
Date: Sat, 26 Sep 2015 00:34:46 +0300

On Sat, Sep 26, 2015 at 12:06 AM, Craig Foote <craigfoote_at_gmail.com> wrote:
> I'm trying to use curl to access a https address passing it my certificate and validating the server's certificate with my own truststore (we have our own CA). I am for now running as root.
>
> curl -v --cert /home/cdfoote/myCertificate.pem:mypassword --cert /home/cdfoote/truststore.pem https://host.com:8444
>
> This gives me the error:
>
> Unable to load client cert -8018
> NSS error -8018
>
> Googling that and determining that my curl was compiled with nss I've converted my certificate to a .pfx (I started with a .jks) and imported it into the nss db via:
>
> pk12util -i /home/cdfoote/myCertificate.pfx -d /etc/pki/nssdb
>
> I see it when I list all certs in the db:
>
> certutil -L -d /etc/pki/nssdb
>
> I see its details when I list it by nickname:
>
> certutil -L -d /etc/pki/nssdb -n myCert
>
> I've made the db available via:
>
> export SSL_DIR=/etc/pki/nssdb
>
> Now, the curl command I'm running is:
>
> curl -v --cert myCert --cert /home/cdfoote/truststore.pem https://host.com:8444

Doc says about '--cert' :
If this option is used several times, the last one will be used.

Perhaps you need (with libnsspem available):
curl -v --cert myCert --cacert /home/cdfoote/truststore.pem
https://host.com:8444

> The response is:
>
> About to connect to https//host.com port 8444 (#0)
> Trying ipaddress
> Connected to host.com (ipaddress) port 8444(#0)
> Initializing NSS with certpath: sql:/etc/pki/nssdb
> CAfile: /home/cdfoote/truststore.pem
> CApath: none
> NSS: client certificate not found: myCert
> SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA
> Server certificate:
> ...
> {
> "status" : "403 - Forbidden",
> ...
>
> A few questions:
>
> Does 'CApath: none' indicate the truststore is not found even though the 'CAfile' is correct? If so, any ideas why it isn't found?
>
> Any idea why 'myCert' is not found even though NSS is initialized to the correct 'certpath' (and it listed fine)?
>
> On another box, where apparently curl is compiled with openssl rather than NSS, the original curl command above works. Is there any way I can run curl that way without recompiling it?
>
> Thanks in advance, Craig
>
> -------------------------------------------------------------------
> List admin: http://cool.haxx.se/list/listinfo/curl-users
> FAQ: http://curl.haxx.se/docs/faq.html
> Etiquette: http://curl.haxx.se/mail/etiquette.html
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-09-25