curl-users
Curl failed to authenticate CA server certificate
Date: Fri, 18 Jan 2019 14:58:49 +0530
I was trying out few test for certificate enrollment procedure using curl
tool, as described in the testrfc7030.com. The cacert downlod procedure
works with testrfc7030.com hosted CA server.
But I find problems when I host the CA server locally using the libest
server example program.
$ curl https://localhost:8085/.well-known/est/cacerts -o cacerts.p7
--cacert ./cacert.crt -v
% Total % Received % Xferd Average Speed Time Time Time
Current
Dload Upload Total Spent Left
Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:--
0* Trying ::1...
* TCP_NODELAY set
* connect to ::1 port 8085 failed: Connection refused
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8085 (#0)
* Cipher selection:
ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: ./cacert.crt
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [94 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [777 bytes data]
* TLSv1.2 (OUT), TLS alert, decrypt error (563):
} [2 bytes data]
* error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:--
0
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, close notify (256):
} [2 bytes data]
curl: (35) error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib
cacert down load procedure was working earlier with locally hosted CA
server but it started failing when I added OCSP URI into the CA server
certificate. Above problem exists though I reverted my changes on CA server
certificate. One more note the libest client example program successfully
downloads the cacert and also authentication succeeds with the same CA
server certificates where curl tool is throwing error.
I am using the curl version as 7.63.0 and openssl version 1.0.1u. Also note
that the curl and libest are using the same version of openssl-1.0.1u.
It will be very helpful if you can give some guidance why the curl is
failing here.
Thanks & Regards,
Deepak
-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2019-01-18