Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Re: Help Understanding curl and tls/ssl certificates
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Dan Fandrich via curl-users <curl-users_at_lists.haxx.se>
Date: Wed, 19 Jun 2024 23:56:15 -0700
On Thu, Jun 20, 2024 at 08:56:29AM +0700, Michael Newman via curl-users wrote:
> Note that I have read this: https://curl.se/docs/sslcerts.html
SSL/TLS certs are used for protocols like FTPS and HTTPS, but notably NOT with
SCP/SFTP/SSH.
> To be perfectly honest, it baffles me.
I have an idea why you're baffled.
> I have three Raspberry Pi 4s running Buster. Each one uploads an image to a web
> host (HostGator) every two minutes using curl. The code is simple:
>
> curl -s -S -u myname: \
> --connect-timeout 25 \
> --max-time 40 \
> --retry 3 \
> --pubkey ~/.ssh/id_rsa.pub \
> -T $file $host >> $log 2>&1
You don't provide the URL scheme you're using to upload, but --pubkey is only
used for scp/sftp transfers. So, if that's what you're trying to do reading
about SSL certs is irrelevant and will just confuse you.
> It has been working fine for several years on all machines. Yesterday morning
> all three machines got the same error message at exactly the same time:
>
> Tue Jun 18 12:42:04 +07 2024 convert finish upload begin
> curl: (7) Failed to connect to ftp.mydomain.com port 22: Connection refused
However, this error message implies that you're actually using (ftp or ftps) to
connect to the server, not sftp.
> This went on for about 20 minutes after which each machine started to get the
> following:
>
> Tue Jun 18 13:06:04 +07 2024 convert finish upload begin
> curl: (60) SSL peer certificate or SSH remote key was not OK
>
> The only way I managed to "fix" this was by adding the following to the curl
> command:
>
> --insecure
>
> Clearly, this is not ideal.
Adding -v will show more information about the certificate that's failing.
> I have been dealing with several support people from HostGator none of whom
> seem to have a clue.
>
> They claim that nothing was changed on their end. However, this seems unlikely
> to me. How else could three identical machines to which I've done nothing
That seems unlikely to me as well, although there are some other explanations.
For example, a proxy server between you and the host may have changed instead,
or a firewall on the local machine.
> recently start receiving the same error messages if the problem is not with the
> server?
>
> Their advice was for me to continue using curl in insecure mode; something I do
> not want to do.
That sounds like advice from people who don't really want to give you advice.
> I can ssh into the machine and I can start an sftp session:
This is a strong clue that you actually *do* want sftp and not ftp/ftps. Since
the curl command is doing an ftp transfer, the first thing to change is the URL
select an sftp transfer instead.
Dan
Date: Wed, 19 Jun 2024 23:56:15 -0700
On Thu, Jun 20, 2024 at 08:56:29AM +0700, Michael Newman via curl-users wrote:
> Note that I have read this: https://curl.se/docs/sslcerts.html
SSL/TLS certs are used for protocols like FTPS and HTTPS, but notably NOT with
SCP/SFTP/SSH.
> To be perfectly honest, it baffles me.
I have an idea why you're baffled.
> I have three Raspberry Pi 4s running Buster. Each one uploads an image to a web
> host (HostGator) every two minutes using curl. The code is simple:
>
> curl -s -S -u myname: \
> --connect-timeout 25 \
> --max-time 40 \
> --retry 3 \
> --pubkey ~/.ssh/id_rsa.pub \
> -T $file $host >> $log 2>&1
You don't provide the URL scheme you're using to upload, but --pubkey is only
used for scp/sftp transfers. So, if that's what you're trying to do reading
about SSL certs is irrelevant and will just confuse you.
> It has been working fine for several years on all machines. Yesterday morning
> all three machines got the same error message at exactly the same time:
>
> Tue Jun 18 12:42:04 +07 2024 convert finish upload begin
> curl: (7) Failed to connect to ftp.mydomain.com port 22: Connection refused
However, this error message implies that you're actually using (ftp or ftps) to
connect to the server, not sftp.
> This went on for about 20 minutes after which each machine started to get the
> following:
>
> Tue Jun 18 13:06:04 +07 2024 convert finish upload begin
> curl: (60) SSL peer certificate or SSH remote key was not OK
>
> The only way I managed to "fix" this was by adding the following to the curl
> command:
>
> --insecure
>
> Clearly, this is not ideal.
Adding -v will show more information about the certificate that's failing.
> I have been dealing with several support people from HostGator none of whom
> seem to have a clue.
>
> They claim that nothing was changed on their end. However, this seems unlikely
> to me. How else could three identical machines to which I've done nothing
That seems unlikely to me as well, although there are some other explanations.
For example, a proxy server between you and the host may have changed instead,
or a firewall on the local machine.
> recently start receiving the same error messages if the problem is not with the
> server?
>
> Their advice was for me to continue using curl in insecure mode; something I do
> not want to do.
That sounds like advice from people who don't really want to give you advice.
> I can ssh into the machine and I can start an sftp session:
This is a strong clue that you actually *do* want sftp and not ftp/ftps. Since
the curl command is doing an ftp transfer, the first thing to change is the URL
select an sftp transfer instead.
Dan
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2024-06-20