Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Help Understanding curl and tls/ssl certificates
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Michael Newman via curl-users <curl-users_at_lists.haxx.se>
Date: Thu, 20 Jun 2024 08:56:29 +0700
Note that I have read this: https://curl.se/docs/sslcerts.html
To be perfectly honest, it baffles me.
I have three Raspberry Pi 4s running Buster. Each one uploads an image to a web host (HostGator) every two minutes using curl. The code is simple:
curl -s -S -u myname: \
--connect-timeout 25 \
--max-time 40 \
--retry 3 \
--pubkey ~/.ssh/id_rsa.pub \
-T $file $host >> $log 2>&1
It has been working fine for several years on all machines. Yesterday morning all three machines got the same error message at exactly the same time:
Tue Jun 18 12:42:04 +07 2024 convert finish upload begin
curl: (7) Failed to connect to ftp.mydomain.com port 22: Connection refused
This went on for about 20 minutes after which each machine started to get the following:
Tue Jun 18 13:06:04 +07 2024 convert finish upload begin
curl: (60) SSL peer certificate or SSH remote key was not OK
The only way I managed to "fix" this was by adding the following to the curl command:
--insecure
Clearly, this is not ideal.
I have been dealing with several support people from HostGator none of whom seem to have a clue.
They claim that nothing was changed on their end. However, this seems unlikely to me. How else could three identical machines to which I've done nothing recently start receiving the same error messages if the problem is not with the server?
Their advice was for me to continue using curl in insecure mode; something I do not want to do.
Further information:
pi_at_raspsky:~/webcam $ curl --version
curl 7.64.0 (arm-unknown-linux-gnueabihf) libcurl/7.64.0 OpenSSL/1.1.1n zlib/1.2.11 libidn2/2.0.5 libpsl/0.20.2 (+libidn2/2.0.5) libssh2/1.8.0 nghttp2/1.36.0 librtmp/2.3
Release-Date: 2019-02-06, security patched: 7.64.0-4+deb10u9
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL
I can ssh into the machine and I can start an sftp session:
pi_at_raspsky:~/webcam $ ssh myname_at_mydomain.com
Last login: Wed Jun 19 04:47:10 2024
myname_at_mydomain.com [~]# hostname -s
gator3115
pi_at_raspsky:~/webcam $ sftp myname_at_mydomain.com
Connected to myname_at_mydomain.com.
sftp>
Why does the certificate seem to work with ssh and sftp, but not with curl/sftp?
What should I do at this point?
Received on 2024-06-20
Date: Thu, 20 Jun 2024 08:56:29 +0700
Note that I have read this: https://curl.se/docs/sslcerts.html
To be perfectly honest, it baffles me.
I have three Raspberry Pi 4s running Buster. Each one uploads an image to a web host (HostGator) every two minutes using curl. The code is simple:
curl -s -S -u myname: \
--connect-timeout 25 \
--max-time 40 \
--retry 3 \
--pubkey ~/.ssh/id_rsa.pub \
-T $file $host >> $log 2>&1
It has been working fine for several years on all machines. Yesterday morning all three machines got the same error message at exactly the same time:
Tue Jun 18 12:42:04 +07 2024 convert finish upload begin
curl: (7) Failed to connect to ftp.mydomain.com port 22: Connection refused
This went on for about 20 minutes after which each machine started to get the following:
Tue Jun 18 13:06:04 +07 2024 convert finish upload begin
curl: (60) SSL peer certificate or SSH remote key was not OK
The only way I managed to "fix" this was by adding the following to the curl command:
--insecure
Clearly, this is not ideal.
I have been dealing with several support people from HostGator none of whom seem to have a clue.
They claim that nothing was changed on their end. However, this seems unlikely to me. How else could three identical machines to which I've done nothing recently start receiving the same error messages if the problem is not with the server?
Their advice was for me to continue using curl in insecure mode; something I do not want to do.
Further information:
pi_at_raspsky:~/webcam $ curl --version
curl 7.64.0 (arm-unknown-linux-gnueabihf) libcurl/7.64.0 OpenSSL/1.1.1n zlib/1.2.11 libidn2/2.0.5 libpsl/0.20.2 (+libidn2/2.0.5) libssh2/1.8.0 nghttp2/1.36.0 librtmp/2.3
Release-Date: 2019-02-06, security patched: 7.64.0-4+deb10u9
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL
I can ssh into the machine and I can start an sftp session:
pi_at_raspsky:~/webcam $ ssh myname_at_mydomain.com
Last login: Wed Jun 19 04:47:10 2024
myname_at_mydomain.com [~]# hostname -s
gator3115
pi_at_raspsky:~/webcam $ sftp myname_at_mydomain.com
Connected to myname_at_mydomain.com.
sftp>
Why does the certificate seem to work with ssh and sftp, but not with curl/sftp?
What should I do at this point?
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
- application/pkcs7-signature attachment: smime.p7s