cURL / Mailing Lists / curl-users / Single Mail

curl-users

RE: Curl with nss error

From: Craig Foote <craigfoote_at_gmail.com>
Date: Sun, 27 Sep 2015 13:17:21 -0400

 I got this reply from Isaac which pointed out to me that I had made a
mistake when writing my question. I'm on a non-internet connected machine
and so had to hand write the message because I couldn't copy and paste.

The command I actually tried was:

curl -v --cert myCert --cacert /home/cdfoote/truststore.pem
https://host.com:8444

Craig

From: Isaac Boukris <iboukris_at_gmail.com
<iboukris_at_gmail.com?Subject=Re:%20Curl%20with%20nss%20error>>
Date: Sat, 26 Sep 2015 00:34:46 +0300

On Sat, Sep 26, 2015 at 12:06 AM, Craig Foote <craigfoote_at_gmail.com>
wrote:
*> I'm trying to use curl to access a https address passing it my
certificate and validating the server's certificate with my own truststore
(we have our own CA). I am for now running as root. *
*> *
*> curl -v --cert /home/cdfoote/myCertificate.pem:mypassword --cert
/home/cdfoote/truststore.pem https://host.com:8444 <https://host.com:8444> *
*> *
*> This gives me the error: *
*> *
*> Unable to load client cert -8018 *
*> NSS error -8018 *
*> *
*> Googling that and determining that my curl was compiled with nss I've
converted my certificate to a .pfx (I started with a .jks) and imported it
into the nss db via: *
*> *
*> pk12util -i /home/cdfoote/myCertificate.pfx -d /etc/pki/nssdb *
*> *
*> I see it when I list all certs in the db: *
*> *
*> certutil -L -d /etc/pki/nssdb *
*> *
*> I see its details when I list it by nickname: *
*> *
*> certutil -L -d /etc/pki/nssdb -n myCert *
*> *
*> I've made the db available via: *
*> *
*> export SSL_DIR=/etc/pki/nssdb *
*> *
*> Now, the curl command I'm running is: *
*> *
*> curl -v --cert myCert --cert /home/cdfoote/truststore.pem
https://host.com:8444 <https://host.com:8444> *

Doc says about '--cert' :
If this option is used several times, the last one will be used.

Perhaps you need (with libnsspem available):
curl -v --cert myCert --cacert /home/cdfoote/truststore.pem
https://host.com:8444
*> The response is: *
*> *
*> About to connect to https//host.com <http://host.com> port 8444 (#0) *
*> Trying ipaddress *
*> Connected to host.com <http://host.com> (ipaddress) port 8444(#0) *
*> Initializing NSS with certpath: sql:/etc/pki/nssdb *
*> CAfile: /home/cdfoote/truststore.pem *
*> CApath: none *
*> NSS: client certificate not found: myCert *
*> SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA *
*> Server certificate: *
*> ... *
*> { *
*> "status" : "403 - Forbidden", *
*> ... *
*> *
*> A few questions: *
*> *
*> Does 'CApath: none' indicate the truststore is not found even though the
'CAfile' is correct? If so, any ideas why it isn't found? *
*> *
*> Any idea why 'myCert' is not found even though NSS is initialized to the
correct 'certpath' (and it listed fine)? *
*> *
*> On another box, where apparently curl is compiled with openssl rather
than NSS, the original curl command above works. Is there any way I can run
curl that way without recompiling it? *
*> *
*> Thanks in advance, Craig *
*> *

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-09-27